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I.  INTRODUCTION 

A.   BACKGROUND 

In  private  industry,  the  goal  of  the  organization  is 
often  to  maximize  profit.  The  Federal  Government  does  not 
have  this  simple  a  measure  by  which  to  gauge  success  or 
failure.  However,  the  goal  to  maximize  profit  is  based  on 
two  underlying  principles  that  do  relate  to  the  operations 
performed  by  the  Federal  Government.  Those  two  principles 
are  efficiency  and  effectiveness.  Efficiency  is  attained  by 
minimizing  waste  in  the  generation  of  output,  and 
effectiveness  is  attained  by  that  ouput  achieving  the 
Federal  Government's  goals.  To  produce  its  output  and 
achieve  its  goals,  the  Government  must  use  resources.  These 
resources  are  not  unlimited  and  they  are  acguired  through 
taxation  of  the  people.  When  these  resources  are  wasted  or 
when  the  goals  are  not  achieved,  the  people  exhibit  very 
strong  concerns.  They  measure  the  success  or  failure  of  the 
Federal  Government  by  their  knowledge  or  perceptions  of  how 
goals  are  being  accomplished  and  how  resources  are  being 
used.  Congress,  sensitive  to  the  needs  and  concerns  of  the 
governed,  passed  the  Federal  Manager's  Financial  Integrity 
Act  of  1982  (FMFIA)  [Ref.  1]  .  The  Act  was  designed  to 
increase  the  use  of  internal  controls  throughout  the  Federal 
Government  [Ref.  2].    A  period  of  six  years  has  elapsed 


since  that  Act's  passage  and  the  Department  of  the 

Navy  has  implemented  a  program  to  meet  the  reguirements  of 

that  Act  [Ref .  3] . 

B.   PURPOSE  AND  OBJECTIVES  OF  THE  RESEARCH 

The  primary  purpose  of  this  study  was  to  examine  the 
implementation  and  execution  of  the  Navy's  Internal  Control 
Program  at  the  local  activity  level.  The  first  step  in 
trying  to  achieve  that  goal  was  to  select  an  activity  that 
provided  a  wide  diversity  of  functions  with  a  high 
susceptibility  to  fraud,  waste  and  abuse.  A  second  step  was 
to  look  for  an  activity  that  supported  both  operational 
forces  and  shore  based  facilities.  The  third  and  final  step 
for  selecting  an  activity  was  to  find  one  that  had  a 
permanently  assigned  Naval  Audit  Service  auditor.  A 
reguirement  for  an  on-site  auditor  was  felt  to  be  necessary 
for  obtaining  an  external  evaluation  of  the  local  activity's 
performance  regarding  the  use  of  internal  controls.  The 
only  type  of  activity  to  meet  all  of  the  preceding 
reguirements  was  a  Naval  Shipyard.  Naval  Shipyards  are  the 
only  Navy  shore  activities  that  have  permanently  assigned 
on-site  auditors.  As  an  industrial  activity  of  major 
importance,  the  shipyard  has  numerous  functions  which  are 
representative  of  both  Federal  and  private  business 
activities.  Some  typical  common  functions  are  the  sales 
cycle,  the  collections  cycle,  the  manufacturing  cycle,  the 
purchasing   cycle   and   automated   data   processing   cycle. 


Because  these  cycles  are  commonplace  this  study  may  provide 
a  sense  of  how  a  typical  internal  control  program  evolved 
and  is  currently  being  used  to  protect  resources.  One  of 
the  shipyard's  primary  mechanisms  used  to  monitor  the  use  of 
its  resources  is  the  Navy's  Industrial  Fund.  The  Industrial 
Fund  is  a  revolving  fund  that  is  reimbursed  through  the 
purchase  of  services  by  its  customers.  Annual  expenditures 
for  the  eight  active  shipyards  during  Fiscal  Year  1987  was 
approximately  $3.7  billion  and  expenditures  for  Fiscal  Year 
1988  are  projected  to  be  $3.4  billion  [Ref.  4]. 

The  specific  objectives  of  this  thesis  are  to: 

(1)  Identify  the  basic  requirements  of  internal  controls, 

(2)  Trace  the  history  of  internal  control  in  the  Federal 
Government  and  the  Department  of  Defense, 

(3)  Identify  the  key  individuals  responsible  for  local 
implementation, 

(4)  Identify  the  types  of  internal  controls  being  used, 

(5)  Evaluate  the  use  of  internal  controls  used  to  correct 
problems, 

(6)  Describe  the  attitudes  of  the  key  individuals  and 
their  perceptions  of  the  benefits  of  having  an 
internal  control  program. 

C.   SCOPE,  ASSUMPTIONS  AND  LIMITATIONS 

This  thesis  was  directed  primarily  toward  a  review  of 
one  shipyard's  internal  control  program,  with  special 
emphasis  on  examining  the  specific  controls  used  to  correct 
actual  or  potential  errors  existing  within  that  shipyard's 


functions.  A  major  assumption  for  this  study  was  that,  if 
the  shipyard  had  not  implemented  an  internal  control 
program,  there  would  have  been  no  other  internal  method 
developed  to  cause  line  managers  to  evaluate  how  efficiently 
or  effectively  their  functions  operate.  The  fact  that, 
until  after  the  passage  of  FMFIA,  there  were  no  records  to 
document  whether  line  managers  were  in  the  habit  of 
evaluating  their  areas  of  responsibility  was  the  basis  upon 
which  the  previous  assumption  was  made.  Without  an  internal 
control  program,  it  was  assumed  that  the  ability  of  the 
Secretary  of  Defense  to  certify  the  effectiveness  of  his 
department ' s  internal  controls  would  have  been  most 
difficult. 

This  study  was  limited  to  on-site  field  work  within  a 
single  shipyard  and  all  contacts  with  the  Naval  Sea  Systems 
Command  were  made  through  the  use  of  telephone  interviews. 

D.   STUDY  DESIGN  AND  METHODOLOGY 

This  study  was  designed  to  be  accomplished  in  four 
phases.  Phase  one  was  a  historical  search  of  the  applicable 
laws,  instructions  and  reports  that  pertained  to  the  Navy's 
eventual  implementation  of  a  formal  internal  control 
program.  The  historical  search  for  information  was 
necessary  in  order  to  provide  the  basis  for  identifying  the 
methods  and  measures  needed  to  conduct  phases  two  and  three. 
Additionally,  phase  one  was  done  so  as  to  understand  how  the 
program   evolved   at   the   different   administrative   levels 


within  the  Department  of  Defense,  which  were  responsible  for 
executing  the  requirements  of  the  Federal  Manager's 
Financial  Integrity  Act  of  1982. 

Phase  two  encompasses  the  selection,  contact  and 
preliminary  survey  of  an  appropriate  local  activity  for 
field  work.  The  selection  of  a  shipyard  was  based  on  its 
representation  of  a  wide  variety  of  financial,  support  and 
production  functions.  Each  of  those  functions  have  a 
significant  potential  for  resources  being  subjected  to 
fraud,  waste  and  abuse.  A  shipyard  is  a  good  candidate  for 
study  because  it  has  a  significant  impact  on  and  interfaces 
with  both  operational  and  non-operational  forces  within  the 
Navy.  The  importance  for  having  that  interface  within  this 
study  is  because  all  important  shore  activities  exist  in  the 
Navy  to  support  the  Fleet.  The  more  support  a  shore 
activity  provides,  the  greater  its  importance  to  the  overall 
mission  of  the  Navy.  Usually,  the  largest  assembly  of  the 
Navy's  assets  are  in  direct  support  of  fleet  operations. 
The  next  part  of  phase  two  was  to  establish  formal  contacts 
with  shipyard  representatives.  This  part  opened  the 
channels  of  communication  needed  to  gain  access  to  records 
and  line  managers  for  conducting  field  work  during  phase 
three.  The  final  part  of  phase  two  was  a  preliminary  survey 
of  the  shipyard.  A  preliminary  survey  allowed  for  the 
opportunity  to  gain  first-hand  knowledge  about 
organizational   relationships   and   it   allowed   first-hand 


examination  of  records  for  determining  the  appropriate 
functions  to  be  selected  for  the  phase  three  case  studies. 

Phase  three  focuses  on  the  actual  on-site  field  work. 
This  field  work  was  designed  to  identify  the  local  program, 
obtain  the  requirements  of  that  program,  conduct  interviews 
about  the  attitudes  of  the  supporting  organization  and 
develop  six  case  studies.  The  six  case  studies  were  used  to 
examine  specific  examples  of  internal  controls  used  to 
prevent  material  errors. 

Phase  four,  the  last  phase,  deals  with  interpreting  the 
results  from  phases  two  and  three. 

E.   THESIS  ORGANIZATION 

Chapter  I  is  an  introduction.  It  explains  the 
importance  of  internal  controls  and  describes  the  goals  and 
objectives  for  this  study.  The  scope  and  research  method 
were  briefly  discussed  to  provide  a  frame  of  reference  for 
the  information  to  be  presented. 

Chapter  II  is  a  general  description  of  what  internal 
controls  are  and  what  things  need  to  be  considered  when 
attempting  to  utilize  internal  controls  for  prevention  of 
fraud,  waste  and  abuse. 

Chapter  III  is  a  historical  review  of  the  applicable 
laws  and  circulars  that  established  the  requirements  for  the 
Federal  Government's  programmed  use  of  internal  controls. 

Chapter  IV  is  a  description  and  history  of  how  the 
Department  of   Defense  executed  the  requirements  of  the 


Federal  Manager's  Financial  Integrity  Act  through  the 
Headquarters  Component  level.  Topics  discussed  are 
responsibilities,  written  gu  dance,  vulnerability 
assessments,  management  control  reviews,  the  internal 
control  program's  operational  process,  the  Naval  Audit 
Service's  review  of  the  program,  and  the  General  Accounting 
Office's  analysis  of  the  internal  control  program. 

Chapter  V  addresses  how  a  shipyard  developed  and 
organized  a  local  internal  control  program. 

Chapter  VI  examines  how  the  Internal  Control  Program 
actually  works  and  provides  some  evaluation  on  how  the 
actual  operation  reflects  the  design  intended  by  the  local 
activity. 

Chapter  VII  summarizes  the  conclusions  and 
recommendations  supported  by  the  field  work. 


II.   INTERNAL  CONTROLS  OVERVIEW 

A.  INTRODUCTION 

Organizations,  either  profit  or  non-profit,  consume 
resources  to  achieve  their  objectives.  Examples  of  these 
resources  include  personnel,  information  and  capital. 
Resources  are  used  in  event  cycles  which  are  "groups  of 
related  steps  or  actions  within  a  program  or  function  that 
are  held  together  by  a  significant  beginning  and  ending 
point."  [Ref.  5:p.  A. 3]  Another  term  for  an  event  cycle  is 
a  system.  Although  resources  are  essential,  they  are  also 
scarce.  Therefore,  their  consumption  must  be  controlled. 
This  is  the  purpose  of  an  internal  control  system. 

This  chapter  will  outline  important  definitions, 
objectives,  standards,  risk  and  compliance  testing  as  they 
relate  to  the  use  of  internal  controls. 

B.  IMPORTANT  DEFINITIONS 

There  are  two  definitions  of  internal  controls  relevant 

to  this  discussion.    The  first  definition  is  from  the 

Secretary  of  Defense's  Internal  Control  Course. 

Internal  Controls  are  operational  checks  and  balances  that 
prevent  loss  due  to  fraud,  waste,  abuse,  and  mismanagement 
of  Government  resources.  Resources  include:  personnel, 
information,  and  capital.   [Ref.  5:p.  3] 


The  second  definition  comes  from  the  American  Institute  of 

Certified  Public  Accountants ' (AICPA)  Statement  On  Auditing 

Procedure  54 . 

Internal  control  comprises  the  plan  of  organization  and 
all  of  the  coordinate  methods  and  measures  adopted  within 
a  business  to  safeguard  its  assets,  check  the  accuracy  and 
reliability  of  its  accounting  data,  promote  operational 
efficiency,  and  encourage  adherence  to  prescribed 
managerial  policies.  This  definition  possibly  is  broader 
than  the  meaning  sometimes  attributed  to  the  term.  It 
recognizes  that  a  "system"  of  internal  control  extends 
beyond  those  matters  which  relate  directly  to  the 
functions  of  the  accounting  and  financial  departments. 
[Ref.  6:p.  234] 

The   two   definitions   are   similar   in   emphasis   upon   the 

protection  of   assets   or  resources   through  the  use   of 

internal  controls.    This   is  the  basis  for  the  Navy's 

Internal  Control  Program  [Ref.  3],  and  is  also  expressed  in 

the  Federal  Manager's  Financial  Integrity  Act  of  1982  [Ref. 

1]- 

C.   THE  OBJECTIVES  OF  INTERNAL  CONTROLS 

Objectives  are  the  desired  outcomes  of  any  internal 
control  system.  There  are  two  levels  of  objectives: 
general  and  specific.  Examples  of  general  objectives,  found 
in  the  definitions  cited  in  the  previous  section,  are 
safeguarding  of  assets  or  resources,  promoting  efficiency, 
promoting  the  reliability  of  data,  promoting  adherence  to 
management's  policies  and  preventing  fraud,  waste  or  abuse 
in  event  cycles.  These  objectives  are  considered  general 
because  they  apply  to  any  event  cycle. 


Specific  objectives  are  developed  from  the  general 
objectives.  They  relate  general  objectives  to  specific 
event  cycles.  For  example,  if  a  manager  wants  to  safeguard 
cash  in  the  cafeteria  system,  he  may  determine  a  specific 
objective  to  protect  cash  from  theft  during  transportation 
from  a  cash  register  to  the  bank.  The  general  objective  is 
to  safeguard  an  asset,  and  the  specific  objective  is  to 
safeguard  cash  during  the  collection  event  cycle. 

D.   ELEMENTS  OR  STANDARDS  OF  INTERNAL  CONTROL 

Internal  controls  are  based  on  general  and  specific 
objectives.  However,  achieving  those  objectives  depends  on 
the  internal  controls  having  certain  characteristics  that 
cause  them  to  operate  in  an  effective  manner.  GAO  has 
called  these  characteristics  standards  [Ref.  9:p.  31],  while 
academicians  often  refer  to  these  characteristics  as 
elements  [Ref.  7:p.  273].  Regardless  of  terminology,  the 
following  characteristics  need  to  be  considered: 

(1)  Reasonable  assurance, 

(2)  Supportive  attitude, 

(3)  Competent  personnel, 

(4)  Control  objectives, 

(5)  Control  technigues, 

(6)  Documentation, 

(7)  Records, 

(8)  Authorization, 

(9)  Separation  of  duties, 

10 


(10)  Adequate  supervision, 

(11)  Security.   [Ref.  8:pp.  31-36] 

GAO  recognizes  the  first  five  as  general  standards,  and  the 

remaining  six  are  considered  a  subset  of  control  techniques 

[Ref.  8:p.  30].    To  gain  an  understanding  of  the  general 

versus  the  specific  standards  as  recognized  by  GAO,  the 

following  illustrates  the  relationship. 

The  general  standards  are  the  building  blocks  of  an 
effective  control  system.  If  one  block  is  missing,  then 
the  foundation  will  be  incomplete.  In  other  words,  the 
ideal  control  system  will  meet  all  of  the  general 
standards.  The  specific  standards  apply  to  the  control 
techniques  used  in  an  assessable  unit.  Some  assessable 
units  will  not  require  control  techniques  in  all  of  the 
areas  reflected  in  the  specific  standard.  Therefore,  some 
specific  standards  may  not  be  applicable  to  all  assessable 
units.  [Ref.  8:p.  35] 

The  assessable  units  mentioned  in  the  last  quote  are  the 

same  as  the  event  cycles  discussed  earlier  [Ref.  5: p.  A.l]. 

The  general  and  specific  standards  are  explained  in 
detail  below  to  provide  a  background  for  subsequent 
discussions. 

1.   General  Standards 

a.   Reasonable  Assurance 

An  internal  control  must  provide  the  manager 
with  the  confidence  that  he  or  she  is  able  to  understand  the 
methods  employed  by  the  internal  control  and  that  the 
internal  control,  as  he  or  she  understands  its  operation, 
reduces  risk  within  an  event  cycle.   [Ref.  8:p.  31] 
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b.  Supportive  Attitude 

An  internal  control  often  involves  an 
interaction  between  management  and  workers.  This  standard 
places  emphasis  on  the  idea  that  an  internal  control  works 
only  if  it  is  supported  by  all  parties  involved.  [Ref.  8: 
p.  31] 

c.  Competent  Personnel 

An  internal  control  requires  that  the  personnel 
involved  in  implementing  that  control  have  the  knowledge  and 
skills  necessary  to  understand  their  assigned  tasks  and  to 
support  the  internal  control  system.   [Ref.  8: p.  32] 

d.  Control  Objectives 

Specific  internal  control  objectives  are 
developed  for  each  event  cycle  so  that  internal  controls  can 
address  the  specific  risks  normally  inherent  in  that  event 
cycle.  The  objectives  are  developed  by  management  before 
management  develops  its  internal  controls,  because  those 
objectives  are  needed  to  provide  an  idea  of  what  is  to  be 
controlled  within  the  event  cycle.   [Ref.  8: p.  32] 

e.  Control  Techniques 

Control  techniques  are  the  mechanisms  by  which 
internal  controls  achieve  general  and  specific  objectives. 
GAO  calls  these  control  techniques  the  specific  standards  of 
internal  controls  [Ref.  8:p.  32].  Those  standards  are 
explained  in  detail  in  the  next  section. 
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2 .      Specific   Standards 

a.  Documentation 

Documentation  is  a  control  technique  that 
provides  an  independent  source  of  information  that  will 
indicate  if  a  transaction  has  been  executed.  Confirmation 
of  information  is  done  by  comparing  documents  to  records  and 
other  documents.  To  illustrate,  tool  issue  documents  are 
compared  against  tool  inventory  records  to  detect  unrecorded 
issues.  Use  of  this  procedure  in  a  tool  room  enables  a 
manager  to  detect  if  his  procedures  are  being  followed  in 
recording  of  tool  issues.   [Ref.  8:p.  33] 

b.  Records 

Recording  transactions  accurately  and  on  a 
timely  basis  improves  the  reliability  of  records  for  audit 
and  review.  Records  are  useful  as  internal  controls  because 
they  can  be  used  to  audit  past  transactions  for  problems  or 
errors.  For  example,  in  a  tool  room  inventory  records  are 
maintained  to  provide  a  history  of  receipts  and  issues.  By 
using  documents  or  records  each  transaction  recorded  on 
those  inventory  records  can  be  checked  for  accuracy. 
Without  the  inventory  records,  a  history  of  past 
transactions  would  not  be  available  to  detect  actual  or 
potential  errors.   [Ref.  8:p.  33] 

c.  Authorization 

In  the  execution  of  transactions,  evidence  is 
maintained  that  all  transactions  are  authorized  by  persons 
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acting  within  the  scope  of  their  authority.  As  part  of  the 
authorization  process,  transactions  are  checked  to  ensure 
that  they  conform  to  management's  policies.  To  illustrate, 
tools  are  issued  only  to  personnel  whose  names  appear  on  a 
list  authorized  by  the  shipyard  commander  to  use  tools.  An 
approval  signature  from  the  tool  room  supervisor  is  required 
before  one  worker  can  draw  more  than  ten  tools.  [Ref.  8: p. 
33] 

d.  Separation  of  Duties 

Separation  of  duties  means  that  one  person  is 
not  allowed  to  control  an  asset  or  resource  completely.  As 
an  example  of  this  technique  in  a  cash  collection  event 
cycle,  the  person  collecting  cash  is  not  the  same  person 
keeping  the  accounting  records;  and  the  person  keeping 
accounting  records  is  not  allowed  to  make  the  daily  cash 
deposits  to  the  bank.   [Ref.  8:p.  33] 

e.  Adequate  Supervision 

To  encourage  workers  to  comply  with  management's 
policies  and  procedures,  supervision  provides  the  necessary 
guidance  and  visibility  to  prevent  and  correct  errors. 
Adequate  supervision  depends  on  having  a  supervisor  who  is 
capable  of  assigning,  reviewing  and  approving  work.  The 
supervisor  must  also  possess  the  knowledge  to  provide 
training  to  subordinates.  As  an  example,  suppose  an  event 
cycle  involves  performing  extremely  complicated  surgical 
procedures.    Having  a  chief  surgeon  present  when  a  new 
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intern  is  performing  that  individual's  first  operation  would 
be  a  good  control.   [Ref.  8:p.  34] 
f.   Security 

Access  to  resources  is  a  security  issue.  To 
prevent  unauthorized  access  to  a  resource,  management  can 
use  physical  controls,  such  as  locks,  guards  or  fences;  or 
it  can  use  administrative  procedures  to  check  on  the 
intended  use  of  a  resource  and  evaluate  whether  the  resource 
should  be  withheld  to  prevent  misuse.  An  example  of  an 
administrative  security  control  is  to  have  all  requests  for 
classified  material  screened  to  see  if  the  requestor  has  a 
valid  need  for  the  information.   [Ref.  8:p.  34] 

E.   THE  ROLE  OF  RISK  IN  DETERMINING  INTERNAL  CONTROLS 

Since  fraud,  waste  and  abuse  are  always  potential 
problems,  a  gauge  of  their  impact  is  necessary  to  determine 
the  degree  to  which  preventive  steps  must  be  taken.  Risk 
evaluation  is  a  method  for  measuring  the  impact  of  those 
potential  problems.  As  a  measure  of  the  degree  of  potential 
problems,  risk  can  be  defined  in  various  terms,  depending  on 
what  management  is  trying  to  accomplish.  According  to  the 
Navy's  Internal  Control  Program  guidance,  the  only  type  of 
risk  used  to  evaluate  event  cycles  is  normally  referred  to 
as  inherent  risk  [Ref.  5: p.  A. 3].  However,  two  types  of 
risk  are  addressed  in  the  field  work  of  this  thesis.  Those 
two  types  are  inherent  risk  and  control  risk  [Ref.  7:p. 
244].    The  Navy  guidance  on  internal  controls  considers 
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control   risk  as  part  of  the  evaluation  of  the  overall 
inherent  risk  in  event  cycles  [Ref.  8:pp.  31-47]. 

Inherent  risk  measures  the  manager's  or  auditor's 
expectation  that  material  errors  exist  in  the  event  cycle, 
before  considering  the  effectiveness  of  internal  controls. 
Control  risk  measures  the  manager's  or  auditor's  expectation 
that  material  errors  in  an  event  cycle  will  not  be  prevented 
or  detected  by  the  internal  control  system.   [Ref.  7:p.  244] 

Risk  is  not  only  an  important  management  decision  for 
evaluating  internal  controls,  but  it  is  also  a  key  aspect  to 
performing  vulnerability  assessments  [Ref.  8:p.  3]. 
Vulnerability  assessments  are  used  as  part  of  the  Navy's 
Internal  Control  Program  and  are  discussed  later. 

Risk  is  usually  evaluated  on  a  scale  from  high  to  low. 
But  risk  is  not  the  only  concern  for  managers.  Internal 
controls  have  a  cost  associated  with  their  use.  That  cost 
requires  managers  to  consider  how  many  internal  controls 
should  be  used  to  reduce  risk  in  an  event  cycle.  To  make  a 
decision  about  the  appropriate  number  of  internal  controls, 
the  manager  considers  what  level  of  risk  is  acceptable.  The 
level  of  acceptable  risk  on  a  scale  from  high  to  low  is 
determined  partly  on  the  basis  of  another  factor,  known  as 
materiality  [Ref.  7:p.  230].  Materiality  is  the  relative 
significance  of  some  quantity.  Thus,  if  a  person  had  only 
two  dollars  and  lost  one,  that  individual  would  consider  the 
loss  to  be  material.   However,  if  a  person  had  $1  million 
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and  lost  one,  that  individual  most  likely  would  consider  the 
loss  to  be  immaterial.  Combining  risk  and  materiality  in 
the  following  example  will  illustrate  why  both  factors  are 
to  be  considered  before  implementing  internal  controls.  In 
printing  two  dollar  advertisements  for  a  newspaper,  a 
printer  mistypes  half  of  all  advertisements  daily.  The  risk 
of  printing  errors  is  very  high.  However,  the  revenues 
generated  from  selling  two  dollar  advertisements  represent 
less  than  one  percent  of  the  entire  revenues  generated  by 
the  newspaper  on  a  single  day.  The  cost  of  the  errors  to 
the  newspaper  is  immaterial .  The  newspaper  manager  knows 
that,  in  order  to  lower  the  error  rate,  he  must  hire  an 
additional  printer,  whose  daily  salary  would  be  more  than 
the  revenues  generated  by  the  daily  two  dollar  advertise- 
ments. If  a  manager  considers  only  risk  and  not 
materiality,  he  or  she  may  implement  controls  that  are 
effective  but  not  efficient. 

F.   COMPLIANCE  TESTING 

Once  internal  controls  are  designed  and  put  into 
operation,  they  should  be  tested  to  ensure  that  they  are 
meeting  the  specific  objectives  [Ref.  7:p.  316].  This  is 
usually  done  through  compliance  testing.  Compliance  testing 
can  be  done  in  these  three  ways:  observation  of  the  event 
cycle  to  see  if  the  internal  controls  are  in  place  and 
working,  inquiry  of  the  workers  using  the  event  cycle  to  see 
if  they  understand  and  use  the  internal  controls,   and 
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examination  of  documentation  to  see  if  internal  controls 
were  designed  and  have  been  used  [Ref.  7:p.  77]. 

Compliance  testing  was  important  for  this  study  because 
it  was  used  to  determine  if  the  internal  controls 
implemented  by  a  shipyard  manager  were  effective  in 
preventing  identified  weaknesses  and  if  the  internal 
controls  were  used  as  claimed  in  reports  to  superiors. 

An  example  of  how  compliance  testing  relates  to  internal 
controls  is  presented  in  a  simple  shipyard  event  cycle. 
Distribution  of  office  supplies  is  an  event  cycle  that 
starts  when  a  worker  needs  materials.  The  worker  then  goes 
to  a  place  where  supplies  are  located  and  draws  the 
materials  needed.  At  the  point  when  the  office  supplies  are 
issued  or  drawn,  the  event  cycle  is  completed  until  office 
supplies  are  needed  again.  A  manager  notices  that  the  use 
of  office  supplies  has  gone  from  a  minor  expense,  a  few 
hundred  dollars  a  quarter,  to  a  major  expense  of  many 
thousands  of  dollars.  The  manager  knows  from  experience 
that  workload  and  personnel  have  not  changed  for  many  years. 
This  manager  considers  the  change  from  a  few  hundred  dollars 
to  a  few  thousand  dollars  to  be  a  material  difference. 
After  investigation  of  the  event  cycle,  the  manager  is 
unable  to  determine  why  there  has  been  such  a  change  in 
office  supply  expenditures.  The  manager  realizes  that  there 
are  no  internal  controls  over  the  distribution  of  office 
supplies.   All  of  the  employees  have  access  to  the  storage 
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area,  and  there  is  no  documentation  supporting  removal  of 
office  supplies.  One  of  management's  general  objectives  is 
to  safeguard  assets  and  resources,  and  in  this  case  it  was 
not  being  done.  The  manager  decides  to  implement  some 
internal  controls.  The  specific  objective  is  to  control  the 
issue  of  office  supplies  in  order  to  reduce  expenditures. 
The  internal  controls  chosen  are  as  follows: 

(1)  Lock  up  all  office  supplies, 

(2)  Appoint  an  office  supplies  custodian, 

(3)  Reguire  all  issues  be  documented  by  a  reguisition, 
and 

(4)  Reguire  the  custodian  to  record  all  issues  daily  on  a 
issue  summary  sheet  and  forward  that  record  to  the 
manager. 

After  the  internal  controls  were  implemented,  the 
manager  notices  no  change  in  the  following  guarter  in 
expenses  for  office  supplies.  The  manager  had  not  followed- 
up  on  the  internal  control  system  to  ensure  that  it  was 
working.  When  the  manager  finally  investigated  the  new 
system,  the  manager  found  that  the  custodian  was  leaving  the 
door  unlocked  during  the  day.  Employees  were  going  in  and 
getting  whatever  they  wanted. 

During  the  investigation  of  the  problem  the  manager 
performed  compliance  tests.  First,  the  manager  observed  how 
the  office  supplies  were  being  issued.  Then,  the  manager 
asked  the  custodian  if  the  door  to  the  supply  room  was  being 
kept  locked.  Next,  the  manager  asked  other  employees  how 
they  got  their  supplies.   Finally,  the  manager  reviewed  the 
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requisitions  kept  by  the  custodian  and  compared  those 
requisitions  to  the  custodian's  record  summarizing  daily 
issues.  By  using  compliance  testing's  simple  methods  of 
inquiry,  documentation  and  observation,  the  manager  was  able 
to  find  out  where  the  internal  controls  failed  to  operate. 
The  manager  then  decided  to  add  one  more  control.  The 
manager  planned  to  conduct  surprise  spot  checks  to  see  if 
the  supply  room  was  being  kept  locked. 

The  previous  example  shows  how  compliance  testing  is 
useful  for  determining  if  internal  controls  are  in  place  and 
working.  During  the  field  work  for  this  study,  this  method 
was  used  to  check  whether  internal  controls  were  actually 
making  changes  within  the  shipyard. 
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III.   THE  HISTORY  OF  INTERNAL  CONTROL 
IN  THE  FEDERAL  GOVERNMENT 


A.  INTRODUCTION 

This  chapter  traces  the  history  of  internal  controls 
from  their  beginnings  in  the  Federal  Government  through  the 
passage  of  the  Federal  Managers'  Financial  Integrity  Act  of 
1982.  Of  importance  in  this  historical  review  is  the 
relationship  between  accountability  and  internal  controls. 

B.  THE  BUDGET  AND  ACCOUNTING  ACT  OF  1921 

The  Budget  and  Accounting  Act  of  1921  is  significant 
because  it  is  the  precursor  to  the  Budget  and  Accounting 
Procedures  Act  of  1950.  It  established  several  positions  in 
the  Federal  Government  that  would  eventually  be  responsible 
for  enforcing  the  use  of  internal  controls  mandated  by  the 
1950  act  [Ref.  10:pp.  20-27].  The  1921  act  was  passed  to 
provide  for  a  national  budget  system  and  for  the  independent 
audit  of  government  accounts  by  an  independent  office.  The 
independent  office  is  the  General  Accounting  Office  (GAO) , 
headed  by  the  Comptroller  General  of  the  United  States.  The 
Federal  audit  function  was  removed  from  the  Treasury  and  the 
office  of  the  Comptroller  of  the  Treasury  was  abolished. 
The  budgeting  function  formerly  performed  by  the  Comptroller 
of  the  Treasury  was  assigned  to  a  new  Bureau  of  the  Budget. 
This  bureau  would  eventually  become  the  Office  of  Management 
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and  Budget  in  197  0.   Separation  of  the  budget  and  accounting 

functions  is  a  significant  event  because  it  started  to 

formalize  a  basic  element  essential  in  any  good  internal 

control  system,  the  separation  of  duties.   [Ref.  10: pp.  20- 

23] 

The  key  aspects  of  the  Budget  and  Accounting  Act  of  1921 

are  the  formalization  of  accounting  documentation  for  audit 

purposes  and  the  reporting  of  financial  information  to  the 

Congress  and  the  President  for  budgeting  purposes  [Ref.  10: 

pp.  20-27].   Congress  was  concerned  that  the  data  necessary 

for  the  Federal  Government  to  budget  accurately  and  then  to 

use   appropriated   funds   efficiently   were   not   being 

maintained.   Congress  stated  that  the  submission  of  budget 

information   by   the   President   could   not   be   evaluated 

adequately,  when  the  budget  and  accounting  functions  were 

consolidated   under  the   Treasury;   so,   they   created   the 

General  Accounting  Office  to  be  an  independent  check  on  the 

executive  branch  of  the  government  [Ref.  10:p.  23].   Within 

its  charter,  the  General  Accounting  Office  is  charged  as 

follows: 

(a)  The  Comptroller  General  shall  investigate,  at  the  seat 
of  government  or  elsewhere,  all  matters  relating  to  the 
receipt,  disbursement,  and  application  of  public  funds, 
and  shall  make  to  the  President  when  requested  by  him,  and 
to  Congress  at  the  beginning  of  each  regular  session,  a 
report  in  writing  of  the  work  of  the  General  Accounting 
Office,  containing  recommendations  concerning  the 
legislation  he  may  deem  necessary  to  facilitate  the  prompt 
and  accurate  rendition  and  settlement  of  accounts  and 
concerning  such  other  matters  relating  to  the  receipt, 
disbursement,  and  application  of  public  funds  as  he  may 
think  advisable.    In  such  regular  report,  or  in  special 
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reports  at  any  time  when  Congress  is  in  session,  he  shall 
make  recommendations  looking  to  greater  economy  or 
efficiency  in  public  expenditures. 

(b)  He  shall  make  such  investigations  and  reports  as  shall 
be  ordered  by  either  House  of  Congress  or  by  any  committee 
of  either  House  having  jurisdiction  over  revenue, 
appropriations,  or  expenditures.  The  Comptroller  General 
shall  also,  at  the  request  of  any  such  committee,  direct 
assistants  from  his  office  to  furnish  the  committee  such 
aid  and  information  as  it  may  request. 

(c)  The  Comptroller  General  shall  specially  report  to 
Congress  every  expenditure  or  contract  made  by  any 
department  or  establishment  in  any  year  in  violation  of 
law. 

(d)  He  shall  submit  to  Congress  reports  upon  the  adequacy 
and  effectiveness  of  the  administrative  examination  of 
accounts  and  claims  in  the  respective  departments  and 
establishments  and  upon  the  adequacy  and  effectiveness  of 
departmental  inspection  of  the  offices  and  accounts  of 
fiscal  officers. 

(e)  He  shall  furnish  such  information  relating  to 
expenditures  and  accounting  to  the  Bureau  of  the  Budget  as 
it  may  request  from  time  to  time.   [Ref.  10: pp.  20-27] 

The  Comptroller  General  performs  the  duties  listed  above 

through  internal  audits,  investigating  all  matters  relating 

to  the  use  of  public  funds  [Ref.  10:p.  25]. 

Internal  audit  is  a  function  that  addresses  both  the 

accountability   concerns   of   the   Congress   and   the 

effectiveness   issue   with   respect   to   public   resources. 

Internal  audit  is  a  necessary  part  of  the  internal  control 

process  because,  without  it,  the  ability  of  an  auditor  to 

detect  material  errors  is  significantly  reduced.   The  vast 

size   of   the   Federal   Government  makes   audit   of   every 

transaction  expensive;  therefore,  the  auditor  must  evaluate 

the  internal  controls  within  its  accounting  systems. 
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In  summary,  the  Budget  and  Accounting  Act  of  1921, 
established  formalized  accounting  systems,  required  internal 
audit  within  executive  agencies,  established  the  Bureau  of 
the  Budget,  established  an  independent  audit  agency  (GAO) 
under  the  Comptroller  General,  separated  the  disbursement 
and  accounting  functions  within  the  executive  branch  of 
government  and  was  the  first  federal  act  to  emphasize 
adequacy  and  effectiveness  of  offices  and  accounts  (internal 
control) . 

C.   THE  BUDGET  AND  ACCOUNTING  PROCEDURES  ACT  OF  19  50 

The  Budget  and  Accounting  Procedures  Act  of  1950  amended 
the  1921  act  and  established  the  requirement  to  document 
accounting  systems  used  within  the  Federal  Government. 
While  the  1921  act  laid  the  foundations  for  internal  control 
systems  within  the  Federal  Government,  it  did  not 
specifically  delineate  the  types  of  accounting  systems  nor 
did  it  use  the  specific  words  "internal  control."  The 
latitude  and  methods  of  execution  were  left  to  the 
discretion  of  the  executive  agency  heads.  The  only  real 
requirement  for  an  accounting  system's  acceptance  was  to 
pass  the  adequacy  and  efficiency  tests  of  the  Comptroller 
General.  The  ever  increasing  size  of  the  Federal 
Government,  especially  after  World  War  II,  dictated  that  the 
methods  of  communicating  financial  information  be 
standardized  and  integrated  throughout  the  Federal 
Government  [Ref.  ll:p.  835].   Congress  was  the  defender  of 
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the  purse  and  demanded  better  explanations  for  the  executive 

department's   financial   requests.     Both   the   Budget   and 

Accounting  Act   of   1921   and   the   Budget   and  Accounting 

Procedures  Act  of  1950  cited  budgeting  as  the  principal 

concern  that  motivated  passage  of  the  Law. 

Although  budgeting  was  the  primary  interest,  Congress 

established  that  internal  controls  would  make  the  budgeting 

and  expenditure  of  appropriated  funds  more  effective  [Ref. 

ll:p.   836].    More  definite  guidance  regarding  internal 

controls  was  provided  in  three  areas.   First  the  Bureau  of 

the  Budget  was  directed  to 

...develop  programs  and  to  issue  regulations  and  orders 
for  the  improved  gathering,  compiling,  analyzing, 
publishing,  and  disseminating  of  statistical  information 
for  any  purpose  by  the  various  agencies  in  the  executive 
branch  of  the  Government.   [Ref.  11 :p.  8  34] 

Second  the  Comptroller  General  was  directed  to  coordinate 

between  the  Bureau  of  the  Budget  and  the  Secretary  of  the 

Treasury   and   establish   an   integrated   and   standardized 

accounting  system  within  the  Federal  Government.   Finally, 

the  heads  of  executive  agencies  were  required  to 

establish  and  maintain  systems  of  accounting  and  internal 
control  designed  to  provide  (1)  full  disclosure  of 
financial  results  of  the  agency's  activities;  (2)  adequate 
financial  information  needed  for  the  agency's  management 
purposes;  (3)  effective  control  over  and  accountability 
for  all  funds,  property,  and  other  assets  for  which  the 
agency  is  responsible,  including  appropriate  internal 
audit;  (4)  reliable  accounting  results  to  serve  as  the 
basis  for  preparation  and  support  of  the  agency's  budget 
request,  for  controlling  the  execution  of  its  budget  and 
for  providing  financial  information  required  by  the  Bureau 
of  the  Budget  under  section  213  of  the  Budget  and 
Accounting  Act,  1921.   [Ref.  ll:p.  836] 
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This  three  pronged  approach  was  to  provide  greater  control 
and  better  dissemination  of  financial  information  within  the 
Federal  Government.   [Ref.  11: p.  832] 

Even  though  Congress  had  provided  greater  guidance 
concerning  accounting  and  the  need  to  use  internal  controls, 
latitude  for  the  execution  of  those  functions  was  still 
vested  in  the  executive  agency  heads  and  the  Comptroller 
General.  The  Comptroller  General  was  directed  to  determine 
the  extent  to  which  accounting  and  related  financial 
reporting  exercised  adequate  financial  control  over 
operations  [Ref.  ll:p.  835]. 

D.  THE  FOREIGN  CORRUPT  PRACTICES  ACT  OF  1977 

The  Foreign  Corrupt  Practices  Act  of  1977  was  Congress1 
first  legislative  action  to  establish  the  requirement  for 
maintaining  a  system  of  internal  accounting  controls.  This 
act  amended  the  Securities  Exchange  Act  of  1934.  Public 
companies  were  the  target  for  this  important  legislation, 
but  the  significance  of  its  passage  lies  in  the  fact  that 
Congress  acknowledged  that  internal  controls  could  and 
should  be  used  for  preventing  abuses  of  an  organization's 
resources.   [Ref.  12] 

E.  THE  INSPECTOR  GENERAL  ACT  OF  1978 

With  the  Carter  Administration's  promise  to  reduce  the 
size  of  the  Federal  Government,  the  pressure  on  Congress  to 
become       more       accountable,       economical       and       efficient 
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intensified.  Congress  desired  a  more  active  role  in  the 
budget  execution  process  and  copied  the  lead  taken  by  the 
Department  of  Health  Education  and  Welfare  (HEW).  In  1977, 
HEW  was  the  first  federal  agency  to  establish  an  Inspector 
General  position.   [Ref.  13] 

Congress,  by  establishing  the  Office  of  the  Inspector 
General,  could  ensure  that  each  agency  had  an  independently 
dedicated  party  to  carry  out  the  functions  of  internal 
audit,  investigation  and  control.  Additionally,  this 
position  would  provide  a  focal  point  for  compiling  data  to 
report  to  Congress  on  the  effective  and  efficient  operation 
of  executive  agencies.   [Ref.  14] 

Besides  requiring  the  appointment  of  an  Inspector 
General,  Congress  went  a  step  further  to  improve 
accountability  within  the  Department  of  Defense.  Section  8 
of  the  Inspector  General  Act  required  the  Secretary  of 
Defense  to  take  several  actions.  First,  the  Secretary  was 
required  to  submit  semiannual  reports  to  Congress  on  the 
results  of  audit  and  investigations  within  the  Department  of 
Defense.  Next,  he  was  required  to  make  public  disclosure  of 
audit  results  unless  the  results  affected  national  security. 
Additionally,  Congress  also  required  the  Secretary  of 
Defense:  (1)  to  submit  proposed  legislation  to  establish 
appropriate  reporting  procedures  concerning  the  audit, 
investigative  and  inspection  activities  of  the  Department  of 
Defense,  (2)  to  establish  a  task  force  to  investigate  ways 
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to  reduce  fraud,  waste  and  abuse,  and  (3)  to  issue  a  report 
summarizing  the  Inspector  General's  ability  to  work 
effectively  and  independently.  [Ref.  14 :p.  1105] 

The  Inspector  General  of  the  Department  of  Defense  was 
not  to  become  the  head  of  each  military  department's 
independent  audit  function.  Each  service  secretary  was 
authorized  to  retain  authority,  direction  and  operational 
control  over  his  or  her  internal  audit  and  internal  review 
organizations.  For  the  Navy,  the  position  responsible  for 
internal  audit  was  the  Auditor  General.   [Ref.  15:pp.  2-3] 

F.   OFFICE  OF  MANAGEMENT  AND  BUDGET  CIRCULAR  A-12  3 

The  Office  of  Management  and  Budget  (0MB)  issued 
Circular  A-123  on  28  October  1981  as  an  attempt  to  move  the 
executive  agencies  toward  compliance  with  the  Budget  and 
Accounting  Procedures  Act  of  1950.  Circular  A-123  reguired 
agencies  to:  (1)  establish  directives  on  internal  control, 
(2)  make  assessments  of  an  activity's  inherent  risk  for 
fraud,  waste  and  abuse,  and  (3)  develop  a  review  schedule 
for  internal  controls.   [Ref.  16] 

The  significance  of  Circular  A-123  lies  in  the  fact  that 
this  was  the  first  Presidential  sponsored  document  reguiring 
the  use  of  internal  controls  to  combat  fraud,  waste  and 
abuse.  Circular  A-123  was  later  revised  in  1983  to  reflect 
the  changes  caused  by  the  Federal  Managers'  Financial 
Integrity  Act  of  1982  [Ref.  16].   It  outlined  the  use  of 
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vulnerability  assessments  and  internal  control  reviews  as 
the  basis  for  using  internal  controls  within  the  Federal 
Government . 

G.   THE  FEDERAL  MANAGER'S  FINANCIAL  INTEGRITY  ACT  OF  1982 

The  Federal  Manager's  Financial  Integrity  Act  of  1982 

(FMFIA)  is  the  result  of  a  combination  of  two  bills  that  the 

House  of  Representatives  and  the  Senate  tried  to  pass  in 

1980.   They  were  the  Financial  Integrity  Act  of  1980  and  the 

Federal  Manager's  Accountability  Act  of  1980.   [Ref.  17] 

1.   Details  of  Major  Importance 

Within  this  legislation,  there  are  seven  important 

details  that  have  brought  internal  controls  to  center  stage 

in  combating  fraud,  waste  and  abuse.   Each  is  discussed  in 

detail  below. 

a.   Internal  Accounting  and  Administrative  Controls 

Each  executive  agency  is  reguired  to  establish 

internal   accounting   and   administrative   controls   in 

accordance  with  standards  prescribed  by  the  Comptroller 

General  and  shall  provide  reasonable  assurances  that, 

...obligations  and  costs  are  in  compliance  with  applicable 
laws;  funds,  property,  and  other  assets  are  safeguarded 
against  waste,  loss,  unauthorized  use,  or 
misappropriation;  and  revenues  and  expenditures  applicable 
to  agency  operations  are  properly  recorded  and  accounted 
for  to  permit  the  preparation  of  accounts  and  reliable 
financial  and  statistical  reports  and  to  maintain 
accountability  over  assets.   [Ref.  l:p.  814] 
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b.  Evaluation  Guidelines 

The  Director  of  the  Office  of  Management  and 
Budget,  in  consultation  with  the  Comptroller  General,  shall 
establish  guidelines  for  agencies  to  follow  to  ensure  their 
internal  accounting  and  administrative  controls  conform  with 
the  intent  of  this  act. 

c.  Compliance  Statement 

Annually,  executive  agency  heads  are  required  to 
submit  a  statement  of  compliance  or  noncompliance  in 
relation  to  this  act. 

d.  Report 

Along  with  the  annual  compliance  or  noncompli- 
ance statements,  executive  agency  heads  will  prepare  a 
report  that  states  exactly  any  material  weaknesses  in  the 
agency's  systems  of  internal  accounting  and  administrative 
control.  This  report  will  also  contain  a  detailed  schedule 
outlining  the  plan  for  corrective  action. 

e.  Transmission  of  Statements  and  Reports 

Each  executive  agency  head  will  sign  the 
statements  and  reports  and  forward  them  to  Congress  and  the 
President.  In  addition,  these  reports  will  be  made 
available  to  the  public  upon  request. 

f.  Appropriations 

The  President  will  submit  with  each  budget,  to 
Congress,  a  detailed  report  explaining  the  funds  requested 
on  behalf  of  the  Office  of  the  Inspector  General. 
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g.   Agency's  Accounting  Systems 

Each  annual  statement  prepared  shall  include  a 
separate  report  on  whether  the  agency's  accounting  system 
conforms  to  the  principles,  standards  and  related 
requirements  prescribed  by  the  Comptroller  General.  [Ref.  1: 
p.  814] 

2 .  The  Role  of  the  Office  of  Management  and  Budget 

The  Director  of  the  Office  of  Management  and  Budget 
is  tasked  with  assisting  the  President  by  developing 
efficient  coordinating  mechanisms  to  implement  legislative 
enactments.  By  so  doing,  the  Director  is  responsible  for 
interpreting  this  act  for  other  executive  agencies  to 
follow.  This  act  specifically  identifies  the  Director  by 
title  and  it  tasks  that  individual  to  take  the  appropriate 
actions  Congress  felt  were  ignored  by  the  Executive  Branch 
when  the  Budget  and  Accounting  Procedures  Act  of  1950  was 
passed.   [Ref.  l:p.  814] 

3 .  The  Role  of  the  Comptroller  General 

Congress  tasked  the  Comptroller  General  in  the 
Accounting  and  Auditing  Act  of  1950  to  standardize  and 
integrate  federal  accounting  systems  and  then  to  approve 
those  systems.  In  the  1982  act,  Congress  re-emphasized  this 
approval  requirement  and  mandated  that  agencies  seek  out  the 
Comptroller  General's  approval.   [Ref.  l:p.  814] 
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4 .  The  Role  of  the  Inspector  General 

It  appears  that  Congress  clearly  believed  that  the 
Executive  Branch  was  not  providing  sufficient  resources  to 
the  Offices  of  Inspectors  General.  By  making  the  Executive 
Branch  detail  budget  submissions  in  this  area,  Congress 
ensured  that  the  Executive  Branch  allocated  adequate 
resources  to  allow  the  Inspector  General  to  be  free  from  the 
power  of  the  purse  held  by  the  entity  being  audited  or 
inspected.   [Ref.  l:p.  814] 

5 .  Summary 

The  FMFIA  is  the  most  extensive  attempt  by  Congress 
to  date  to  hold  the  government  accountable  to  the  people. 
Internal  controls  and  accounting  systems  were  given 
standards  by  which  progress  in  these  areas  could  be 
measured.  Reporting  requirements  made  specific  individuals 
accountable  for  instituting  adequate  internal  controls. 
Internal  controls  have  been  made  an  important  part  of  the 
way  the  United  States  Government  conducts  business. 
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IV.   HISTORY  OF  INTERNAL  CONTROLS  WITHIN  THE  NAVY 

A.  INTRODUCTION 

The  purpose  of  this  chapter  is  to  describe  the  evolution 
of  the  internal  control  program  within  the  Department  of  the 
Navy  from  its  start  in  1982  through  its  current  state  of 
operation  in  March  of  1988.  To  accomplish  this  purpose, 
there  are  five  facets  that  are  discussed  to  provide  a 
general  description  of  how  the  FMFIA  was  implemented  within 
the  Navy.  Facet  one  describes  the  internal  control  program 
guidance  issued  by  the  levels  of  command  responsible  for 
complying  with  the  requirements  of  FMFIA.  Facets  two  and 
three  describe  the  importance  of  vulnerability  assessments 
and  management  control  reviews,  respectively,  and  their 
relationships  to  the  internal  control  program.  Facet  four 
provides  an  overview  of  how  facets  two  and  three  are 
integrated  into  a  process  that  forms  the  basis  of  the  Navy's 
Internal  Control  Program.  Finally,  facet  five  summarizes 
the  comments  of  the  Naval  Audit  Service's  latest  review  of 
the  internal  control  program. 

B.  INTERNAL  CONTROL  PROGRAM  GUIDANCE  AND  RESPONSIBILITIES 
1.   The  Secretary  of  Defense  (SECDEF) 

As  discussed  in  Chapter  III,  the  FMFIA  required  that 
the  Comptroller  General  prescribe  internal  control 
standards,  OMB  establish  internal  control  guidelines,  audit 

33 


findings  be  promptly  resolved  and  Agency  Heads  certify  and 
report  on  the  use  of  internal  controls  within  their 
respective  agencies.  It  is  with  regard  to  those  certifica- 
tion and  reporting  reguirements  that  the  SECDEF  was  assigned 
responsibility  by  law  for  establishing  the  use  of  internal 
controls  [Ref.  l:p.  814]. 

The  SECDEF,  as  the  focal  point  for  providing  those 
certifications  and  reports,  established  the  internal  control 
program  when  he  signed  the  Department  of  Defense  (DOD) 
Directive  7040.6  on  24  March  1982.  This  implementing  action 
was  done  prior  to  passage  of  FMFIA.  Actually,  the  internal 
control  program  was  started  in  response  to  an  Executive 
Order,  OMB  Circular  A-123  [Ref.  17:p.  23].  On  16  July  1984, 
DOD  Directive  7040.6  was  reissued  as  DOD  Directive  5010.38. 
The  change  from  the  7  000  series  to  the  5000  series  was  made 
to  remove  the  guidance  from  SECDEF1 s  audit-related 
directives  and  to  change  it  to  a  series  reserved  for 
internal  review-related  directives.  This  new  directive 
incorporated  the  specific  changes  brought  about  by  the  FMFIA 
and  the  subseguently  revised  OMB  Circular  A-123  of  1983. 
[Ref.  17:p.  23] 

With  the  issuance  of  the  original  directive,  SECDEF 
directed  each  of  the  military  services  to  establish  internal 
control  programs  within  their  departments.  This  initial 
guidance  was  tailored  from  the  OMB  Circular  A-123  issued  in 
October  of  1981  and  the  OMB  Guidelines  published  in  December 
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of  1982.  Because  of  the  relatively  short  time  between  the 
passage  of  FMFIA  and  its  required  implementation,  SECDEF  did 
not  immediately  provide  training  or  instruction  on  how  these 
programs  should  be  structured;  the  responsibility  was  left 
completely  to  the  service  secretaries.  The  GAO  on  1  May 
1984  issued  a  report  to  the  SECDEF  that  highlighted  the 
progress  DOD  had  made  toward  implementation  of  FMFIA.  [Ref. 
18  :p.  1]  Within  that  review,  two  significant  problems  were 
highlighted.  The  first  problem  was  that  there  was 
insufficient  training  on  the  requirements  of  FMFIA.  The 
second  problem  emphasized  that  throughout  the  DOD 
insufficient  documentation  was  maintained  concerning  the 
implementation  of  the  internal  control  program.  [Ref.  18 :p. 
1]  In  August  of  1984,  SECDEF  issued  a  training  course  that 
was  designed  to  correct  the  lack  of  training  and  adequate 
documentation.  [Ref.  19 :p.  1]  This  Internal  Control  Course 
[Ref.  19]  comprised  three  volumes  and  a  cover  letter. 

With  the  directive  and  the  training  course  issued, 
the  SECDEF  left  the  operation  of  the  internal  control 
program  to  the  service  secretaries  except  for  overall 
compilation  of  reports  and  certifications  to  Congress.  The 
remainder  of  this  thesis  deals  with  the  internal  control 
program  as  it  was  implemented  within  the  Department  of  the 
Navy  (DON) . 
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2.   The  Secretary  of  the  Navy  (SECNAV) 

On  29  July  1983,  SECNAV  took  his  first  formal  action 
to  implement  the  requirements  of  FMFIA,  OMB  Circular  A-123 
and  DOD  Directive  7040.6  [Ref.  17:p.  23].  The  result  of 
that  action  was  SECNAV  Instruction  5200.35.  That 
instruction  became  the  basic  policy  guidance  which  started 
the  Navy's  Internal  Control  Program,  directed  use  of  "OMB 
Guidelines"  for  the  evaluation,  improvement  and  reporting  of 
internal  control  systems,  and  assigned  specific  actions 
throughout  the  chain  of  command.   [Ref.  3: pp.  1-4] 

SECNAV  Instruction  5200.35  has  been  updated  only 
once  since  1983  and  it  is  currently  issued  as  SECNAV 
Instruction  5200. 35A,  dated  17  May  1985  [Ref.  20].  The 
instruction  was  reissued  so  as  to  address  three  objectives 
not  specifically  covered  within  the  first  instruction  [Ref. 
17:p.  24].  To  summarize  those  reasons  for  change,  the 
original  instruction  did  not  adequately  emphasize  the  needs 
to: 

(1)  maintain  effective  operation  and  accounting  control 
systems, 

(2)  maintain  involvement  by  all  levels  of  management  for 
ensuring  that  effective  controls  exist,  and 

(3)  maintain  an  adequate  system  to  ensure  that  follow-up 
actions  are  in  place  to  promptly  correct  internal 
control  deficiencies.   [Ref.  20] 

Prior  to  the  Comptroller  of  the  Navy  becoming  the 

Assistant  Secretary  of  the  Navy  for  Financial  Management, 

the   original   SECNAV   instruction   assigned   the   internal 
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control  program's  project  management  to  the  Deputy  Under 
Secretary  of  the  Navy  for  Financial  Management.  He  was 
supported  in  that  function  by  the  Comptroller  of  the  Navy 
[Ref.  3:p.  3].  SECNAV  Instruction  5200. 35A,  the  revision  of 
the  original  SECNAV  instruction,  assigned  the  internal 
control  program's  project  management  to  the  Under  Secretary 
of  the  Navy  [Ref.  20:p.  2]. 

Currently,  there  is  a  draft  revision  to  SECNAV 
Instruction  5200. 35A  that  would  shift  the  program  management 
responsibility  entirely  from  the  Deputy  Under  Secretary  of 
the  Navy  to  the  Assistant  Secretary  of  the  Navy  for 
Financial  Management  (NAVCOMPT) .  Additionally,  that 
revision  emphasizes  the  need  to  have  all  levels  of  the  DON 
comply  with  GAO  standards  and  to  involve  all  the  levels  of 
management  on  an  on-going  basis  in  the  process  of 
determining  adequacy  of  internal  controls.  [Ref.  17 :p.  25] 
3 .   Commander,  Naval  Sea  Systems  Command  (NAVSEA) 

Originally,  the  next  echelon  for  implementation, 
according  to  SECNAV  Instruction  5200.35,  was  the 
headquarters  component  level  and  NAVSEA  was  designated  as 
one  of  the  original  26  so  designated  [Ref.  3].  However, 
when  the  revised  SECNAV  Instruction  5200. 3 5A  was  issued  in 
1985,  the  Chief  of  Naval  Operations  (CNO)  became  the  only 
headquarters  component  beside  the  Commandant  of  the  Marine 
Corps  to  report  on  internal  controls  directly  to  NAVCOMPT. 
Also,   the  revised  instruction  stated  that  the  CNO  was 
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responsible  for  ensuring  that  all  his  subordinates  complied 
with  the  guidance  within  the  revised  SECNAV  instruction 
[Ref.  20:p.  2].  NAVSEA  as  a  subordinate  of  the  CNO  reports 
to  NAVCOMPT  through  the  CNO  [Ref.  20: encl.  2]. 

On  6  January  1986,  the  CNO  issued  OPNAV  Instruction 
5200. 25A,  applicable  to  all  Naval  activities.  That 
instruction  contained  information  similar  to  SECNAV 
Instruction  5200. 35A  but  had  two  requirements  that  were  not 
similar  to  the  previously  issued  guidance.  OPNAV 
Instruction  5200. 25A  identified  a  detailed  inventory  of 
assessable  units  that  were  to  be  included  periodically  for 
vulnerability  assessments,  and  it  identified  CNO's  demands 
for  specific  reporting  requirements.  [Ref.  17 :p.  26] 

NAVSEA,  within  five  months  of  the  CNO's  issuance  of 
OPNAV  Instruction  5200. 25A,  issued  NAVSEA  Instruction 
5200.13  [Ref.  22].  Under  this  specific  guidance  NAVSEA 
provides  the  internal  control  program  policy  for  the  Navy's 
eight  active  Naval  Shipyards.  This  thesis  focuses  on  the 
internal  control  program  implemented  within  one  of  those 
eight  shipyards.  According  to  that  shipyard's  Director  of 
Internal  Review,  the  shipyard  commander  identified  NAVSEA 
Instruction  52  00.13  as  the  most  important  guidance  to  be 
followed  for  implementing  the  shipyard's  internal  control 
program.  Since  NAVSEA  Instruction  5200.13  is  identified  as 
the  most  important  guidance  for  the  shipyard  to  use  in 
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developing  an  internal  control  program,  the  important  parts 
of  that  instruction  are  quoted  below  for  future  reference. 

1.  Performance  Appraisals.  The  ability  of  personnel 
assigned  duties  to  develop,  implement  or  maintain  internal 
controls  or  to  perform  Vulnerability  Assessments  or 
Management  Control  Reviews  should  be  evaluated  in  their 
routine  performance  appraisals. 

a.  Military  Personnel.  The  internal  control  program 
does  not  reorient  the  current  military  fitness  report  or 
performance  evaluation  process.  Rather,  the  normal 
appraisal  process  continues  to  review  a  military  member's 
performance  in  internal  control  as  it  has  in  the  past. 
For  example,  the  Officer  Appraisal  Work  Sheet,  NAVPERS 
Form  1611,  evaluates  numerous  elements  of  internal 
control.  Internal  control  should  be  regarded  as  a  normal 
part  of  the  management  process  for  military  personnel. 

b.  Civilian  Personnel.  Civilian  personnel  have 
structured  performance  appraisal  system.  Supervisors 
responsible  for  overseeing  objective  setting  and 
performance  appraisals  should  ensure  that  the  internal 
control  aspects  of  the  functions  being  performed  are 
emphasized. 

2.  Quality  Control.  To  ensure  that  the  objectives  of 
this  program  are  achieved,  quality  control  shall  be 
exercised  at  all  levels  of  command.  Quality  control  will 
include: 

a.  Ensuring  appropriate  internal  control  training  is 
provided. 

b.  Performing  adequate  Vulnerability  Assessments  and 
Management  Control  Reviews. 

c.  Preparing  accurate  and  timely  reports. 

d.  Establishing  a  formal  follow-up  system  for 
monitoring  corrective  actions  to  material  and/or  systemic 
deficiencies. 

e.  Establishing  a  system  of  testing  corrective 
actions  to  material  or  systemic  deficiencies.  No 
deficiencies  can  be  dropped  from  a  follow-up  system  until 
it  has  been  tested  (on-site  review  of  the  deficiency  to 
determine  if  the  stated  corrective  actions  solved  the 
deficiency) . 

f.  Conducting  periodic  on-site  reviews  of  Management 
Control  Review  procedures  at  subordinate  commands  to 
ensure  compliance  with  requirements  set  forth  in  this 
instruction. 

3 .  Vulnerability  Assessments  and  Management  Control 
Reviews.   Vulnerability  Assessments  and  Management  Control 
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Reviews  shall  be  conducted  of  assessable  units  covering 
all  programs  and  functions  of  the  activity.  An  inventory 
of  assessable  units  shall  be  developed  and  maintained  by 
each  activity.  Vulnerability  Assessments,  Management 
Control  Reviews  and  Other  Management  Actions  shall  be 
conducted  and  reported  in  accordance  with  this 
instruction. 

4 .   Responsibilities 

a.  Office  of  Internal  Review,  COMNAVSEA  (SEA  00F3) 
will: 

(1)  Establish  and  maintain  the  command-wide 
internal  control  program. 

(2)  Provide  overall  policy,  procedures  and 
oversight  of  the  command's  internal  control  program. 

(3)  Coordinate,  prepare  and  submit  all  reports 
required  for  COMNAVSEA 's  signature. 

(4)  Establish  a  Command  training  program. 

(5)  Maintain  COMNAVSEA' s  tracking  system  for 
internal  control  evaluations  and  corrective  actions. 

(6)  Establish  and  coordinate  a  quality  assurance 
program. 

b.  NAVSEA   field   activities,   detachments   and 
headquarters  deputy  commanders  will: 

(1)  Designate  an  internal  control  coordinator  to 
administer  the  program. 

(2)  Ensure  internal  control  systems  under  their 
purview  (including  classified  systems)  are  implemented  and 
functioning. 

(3)  Ensure  that  managers  (both  military  and 
civilian)  responsible  for  internal  controls  are  identified 
and  their  fitness  reports  and  performance  appraisals 
reflect  that  responsibility. 

(4)  Perform  vulnerability  assessments,  management 
control  reviews  and  other  appropriate  management  actions 
and  report  the  results. 

(5)  Maintain  documentation  on  all  vulnerability 
assessments,  management  control  reviews,  other  management 
actions  and  corrective  actions. 

(6)  Establish  quality  control  to  ensure  that 
adequate  internal  controls  are  established  to  prevent  loss 
or  unauthorized  use  of  resources,  errors  in  reports  and 
information,  illegal  or  unethical  acts,  inefficiencies  and 
adverse  public  opinion. 

c.  Internal  review  offices  will: 

(1)  Evaluate  respective  command  compliance  with 
the  requirements  of  this  instruction. 

(2)  Perform  selected  audits  and  test  checks  of 
internal  control  documentation  and  systems. 

(3)  Provide  technical  assistance  to  managers  in 
conducting  reviews  and  assessments.  (Internal  review  will 
not   conduct   vulnerability   assessments   and   management 
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control   reviews   except   in   their   own   areas   of 
responsibility. ) 

d.   The  NAVSEA  Inspector  General  (SEA  00N)  will: 

(1)  Include  the  implementation  of  the  program  as 
a  specific  review  item  during  Command  Inspections.  [Ref. 
22:pp.  2-5] 


C.   VULNERABILITY  ASSESSMENTS 

The  second  facet  of  this  discussion  focuses  on  the  first 

of  two  critical  processes  essential  to  all  internal  control 

programs  utilized  within  the  Navy — vulnerability  assessment. 

A  vulnerability  assessment  is  a  management  evaluation  of  a 
program  or  function  aimed  at  identifying  the  potential  for 
mismanagement,  loss,  fraud,  or  waste  in  that  program  or 
function.  The  objective  of  these  assessments  is  to  attain 
a  ranking  of  all  programs  and  functions  within  an 
organization  in  terms  of  their  susceptibility  to  loss  or 
unauthorized  use  of  resources,  errors  in  reports  or 
information,  illegal  or  unethical  acts  and/or  adverse  or 
unfavorable  public  opinion.  This  ranking  process  enables 
management  to  determine  priorities  for  conducting 
management  control  reviews. 

The  vulnerability  assessment  process  consists  of:  (1) 
deciding  which  major  programs/ functions  are  applicable  to 
the  component;  (2)  determining  what  aspects  of  each  major 
program/ function  are  performed  by  the  component;  (3) 
identifying  responsible  managers  to  perform  the 
assessments;  (4)  documenting  the  vulnerability  factors; 
(5)  establishing  ratings  and  rankings  based  on  experience 
and  judgement;  and  (6)  submitting  a  brief  written  report. 
[Ref.  3: end.  1,  p.  2] 

The  vulnerability  assessment  process  was  first  required  by 

OMB  Circular  A-123   [Ref.   23].    Since  that  process  was 

designed   to   help   managers   logically   assess   the   risk 

potential  within  their  organizations,  it  became  an  essential 

part  of  all  the  internal  control  programs  started  within  the 

Navy  [Ref.  3].    As  stated  earlier,  the  CNO  in  his  1986 

instruction  established  a  detailed  inventory  of  assessable 
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units  and  required  that  those  units  be  assessed  at  a  maximum 
interval  of  every  two  years  [Ref.  21].  In  August  of  1986, 
when  OMB  revised  its  Circular  A-12  3  in  order  to  reduce  the 
internal  control  program  paper  workload,  the  CNO  issued 
interim  guidance  to  reflect  a  change  from  the  maximum  two- 
year  requirement  for  performing  vulnerability  assessments  to 
a  five-year  requirement  [Ref.  24].  Besides  attempting  to 
reduce  the  paper  workload,  the  vulnerability  assessment 
cycle  was  changed  to  provide  management  more  time  and 
resources  to  conduct  management  control  reviews  [Ref.  24]. 

D.   MANAGEMENT  CONTROL  REVIEWS 

Management  control  reviews  represent  the  second  and  most 

critical  process  for  having  a  good  internal  control  program. 

It  should  be  considered  the  most  critical  process  because  it 

is  during  this  process  that  internal  controls  are  corrected 

or  added  to  an  event  cycle  to  prevent  fraud,  waste  or  abuse. 

Management  control  reviews  (also  referred  to  as  internal 
control  reviews)  are  detailed  examinations  of  a 
program/ function  to  ensure  internal  controls  exist,  are 
documented  and  are  functioning  as  intended.  These  reviews 
should  identify  weak,  nonexistent  or  excessive  controls 
and  initiate  actions  necessary  to  correct  noted 
deficiencies.  Management  control  reviews  are  performed  at 
each  DON  command  and  activity  by  the  managers  responsible 
for  the  system  of  internal  controls  under  review. 

The  following  steps  provide  a  basic  approach  to  performing 
internal  control  reviews. 

a.  Identify  "event  cycles."  These  cycles  are  the 
processes  or  series  of  events  leading  to  accomplishment  of 
a  function. 

b.  Analyze  the  general  control  environment;  i.e., 
management  attitude,  organization  structure,  personnel, 
delegation   and   communication   of   authority   and 
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responsibilities,   budgeting  and  reporting  practices  and 
organizational  checks  and  balances. 

c.  Document  event  cycles.  Documentation  should  be  in 
the  form  of  flow  charts  or  narrative  explanations  in 
sufficient  detail  to  permit  an  in-depth  analysis  of  the 
existence  and  adequacy  of  internal  controls.  At  a 
minimum,  this  documentation  should  identify  procedures 
used,  personnel  performing  the  procedures  and  forms  or 
other  records  used  in  executing  the  transactions.  Also 
internal  control  points  in  the  event  cycle  should  be 
highlighted. 

d.  Identify  needed  controls  for  each  transaction 
cycle  and  compare  them  to  existing  controls  to  determine 
nonexistent  or  unnecessary  controls. 

e.  Test  established  controls  to  ensure  they  are 
functioning  as  intended. 

f.  Report  the  results  of  the  reviews.  Identify 
weaknesses  and  deficiencies  in  the  internal  control  system 
and  recommend  necessary  corrective  actions.  [Ref.  3: end 
1*  P-  5] 


E.   THE  INTERNAL  CONTROL  PROGRAM  PROCESS 

The  internal  control  program  process  is  similar 
throughout  all  levels  of  command  within  the  Navy.  It  is  a 
sequential  process  that  works  on  a  cyclical  basis  for 
conducting  the  following  seven  steps: 

(1)  Organizing  the  process, 

(2)  Segmenting  the  activity, 

(3)  Conducting  the  vulnerability  assessments, 

(4)  Developing  plans  for  subsequent  actions, 

(5)  Conducting  management  control  reviews, 

(6)  Reporting   the   results   of   the   internal   control 
process, 

(7)  Following  up  on  corrective  actions.    [Ref.  2:p.  I- 
5]. 

Of  the  steps  listed  above,   step  one  emphasizes  the 

assignment   of   overall   coordination   and   reporting 
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responsibilities  throughout  a  local  activity's  chain  of 
command.  It  is  during  this  step  that  overall  management  of 
the  internal  control  program  is  assigned  to  one  individual. 
After  a  focal  point  is  identified,  that  individual  begins  by 
planning  the  remaining  six  steps  with  the  activity  commander 
and  the  department  heads.  Step  two  of  the  internal  control 
process  involves  the  person  assigned  overall  management 
responsi-bility  and  the  department  heads  coming  together  to 
identify  how  to  segment  the  activity.  The  segmentation  is 
done  to  recognize  which  event  cycles  should  be  included  on 
the  activity's  list  of  assessable  units.  As  described  in 
Chapter  II,  assessable  units  are  also  known  as  event  cycles. 
Next,  department  heads  draw  up  the  boundaries  identifying 
where  a  line  manager's  responsibility  for  conducting 
vulnerability  assessments  and  management  control  reviews 
begin  and  end.  Steps  three  and  five  were  explained  in  depth 
earlier  in  this  chapter  and  step  six  was  covered  during  the 
explanation  of  FMFIA  in  Chapter  III.   [Ref.  21] 

Steps  four  and  seven  are  quite  important  and  deserve 
further  explanation.  Developing  plans  for  subsequent 
actions  is  important  because  it  focuses  management's 
attention  on  the  actions  necessary  to  correct  the  potential 
risks  identified  during  vulnerability  assessments.  This 
planning  and  scheduling  allows  management  to  coordinate  the 
function  from  a  central  location  within  its  activity.  After 
the  program  was  initially  set  up  within  DON,  this  step 
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became  the  initial  action  for  continuing  the  process  on  a 
cyclical  basis.  Steps  one  and  two  were  eliminated  from  the 
process  unless  the  activity  was  reorganized  on  a  significant 
scale.  Finally,  step  seven  indicates  that  follow-up  is  an 
essential  element  in  the  overall  process.  This  step  is  the 
internal  control  inherent  within  the  internal  control 
program  process  to  ensure  that  the  efforts  of  the  program 
are  not  lost  by  management's  indifference.   [Ref.  22] 

While  the  process  is  similar  throughout  the  Navy,  the 
schedule  for  taking  action  on  the  process  is  driven  by 
FMFIA's  reporting  requirements.  Each  command  level  within 
the  Navy  modifies  its  reporting  requirements  to  allow 
sufficient  time  for  SECDEF  to  compile  his  composite  report 
to  the  Congress.  Since  the  field  work  for  this  thesis  deals 
with  a  Naval  Shipyard,  NAVSEA's  reporting  requirements  and 
time  frames  are  listed  below  as  a  typical  example: 

(1)  Results  of  Management  Control  Reviews  and  Reviews  of 
Other  Management  Actions  (Annually) , 

(2)  Internal  Control  Certification  Statement  (Annually) , 

(3)  Consolidated  Vulnerability  Assessment   Form   (Every 
Fifth  Year) , 

(4)  Updated  Inventory  of  Assessable  Units  (Every  Fifth 
Year) , 

(5)  Status  of  Corrective  Actions  (Semiannually) .    [Ref. 
22:encl.  3,  p.  6] 

NAVSEA  last  updated  the  above  schedule  in  July  of  1987  after 

the  CNO  issued  interim  guidance  on  additional  reporting 

requirements  [Ref.  24]. 
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F.   INTERNAL  CONTROL  PROGRAM  EVALUATION 

Before  turning  in  the  next  chapter  to  the  results  of  an 
on-site  study  of  one  Naval  Shipyard,  a  summary  of  the  Naval 
Audit  Service's  latest  evaluation  is  provided  as  an  overview 
for  comparing  the  observations  made  at  a  local  activity. 

The  Naval  Audit  Service  (NAVAUDSVC)  is  the  internal 
review  function  for  SECNAV.  Since  passage  of  FMFIA, 
NAVAUDSVC  has  been  tasked  with  periodically  reviewing  the 
Navy's  implementation  of  the  internal  control  program.  To 
date,  NAVAUDSVC  has  issued  three  composite  advisory  reports, 
the  last  report  being  issued  on  24  August  1987  [Ref.  25]. 
That  last  report  covers  Navy-wide  implementation  progress 
made  through  fiscal  year  1986.  Although  that  information  is 
dated  by  18  months,  Report  T3  004  6,  Implementation  of  the 
Department  of  the  Navy's  Internal  Control  Program  is  the 
latest  opinion  published  by  the  NAVAUDSVC  [Ref.  25]. 

Report  T30046  had  as  its  basic  objectives  to  evaluate 
the  accuracy  of  the  procedures  used  to  identify  and  report 
on  material  weaknesses,  to  determine  if  local  commands  had 
adequate  follow-up  systems  in  place,  to  determine  the  status 
of  corrective  actions  from  previous  years,  and  to  assess  the 
accuracy  of  the  SECNAV s  Internal  Control  Statement  to 
Congress  [Ref.  25].  The  report  did  not  evaluate  how  the 
Navy's  Internal  Control  Program  promoted  conformity  to  GAO 
standards  and  the  general  objectives  of  FMFIA.  NAVAUDSVC 
limited  this   latest  audit  to  reviewing  results  of  the 
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implementing  process  [Ref.  25].  During  that  review,  28 
major  commands,  including  NAVSEA,  were  evaluated.  Results 
of  NAVAUDSVC's  audit  were  classified  into  two  parts.  Part 
one  covered  findings  from  the  previous  audit,  Report  T30005 
[Ref.  26]  and  part  two  covered  the  objectives  of  the  latest 
audit,  Report  T30046  [Ref.  25].  The  major  finding  in  part 
one  was  that  some  of  the  2  8  commands  audited  had  not 
established  effective  follow-up  systems  for  monitoring 
corrective  actions.  This  failure  was  a  repeat  finding  from 
the  first  audit  in  1984,  Report  T30254  [Ref.  27].  Findings 
classified  under  part  two  were  as  follows:  subordinate 
commands  did  not  consider  all  sources  for  identifying 
material  weakness,  such  as  old  audit  reports  or  inspection 
findings;  the  required  certification  statements  on  the 
adequacy  of  internal  controls  forwarded  up  the  chain  of 
command  as  feeder  statements  by  local  activities  were 
incomplete;  follow-up  systems  were  still  ineffective  or  not 
established;  and  the  CNO  was  submitting  command  inspections 
for  operating  forces  instead  of  management  control  reviews. 
Findings  in  parts  one  and  two  represent  the  major  concerns 
noted  by  the  NAVAUDSVC  on  a  Navy-wide  basis.  NAVSEA,  while 
included  in  those  reports,  was  found  to  have  an  adequate 
follow-up  system  and  did  not  have  any  of  the  other  major 
deficiencies  noted  above.   [Ref.  17: p.  43] 
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V.   AN  INTERNAL  CONTROL  PROGRAM  WITHIN 
ONE  NAVAL  SHIPYARD 


A.   AN  INTRODUCTION  TO  A  SHIPYARD'S  INTERNAL  CONTROL 
PROGRAM 

This  chapter  describes  an  internal  control  program  as 

developed  by  a  single  Naval  Shipyard.   The  time  frame  to  be 

described  represents  a  period  of  six  years  from  September 

1982  through  March  1988.   Only  one  shipyard  was  studied  and 

may  not  be  representative  of  all  Naval  Shipyards;  however, 

based   on   comparative   accounting   figures,   the   shipyard 

selected  for  study  is  one  of  the  top  four  in  total  revenues 

and  one  of  the  top  three  in  total  labor  hours  utilized.   All 

accounting  figures  cited  in  this  chapter  and  the  next  were 

extracted  from  NAVSEA's  Navy  Industrial  Fund  Reports  System 

(NIFRS)   report   dated   2   February   1988.     Descriptions 

contained  in  this  chapter  are  a  combination  of  on-site 

review  of  historical  records,  personal  observations  of  the 

shipyard   organization   and   information   obtained   from 

interviews  with  shipyard,  NAVSEA  and  NAVAUDSVC  personnel. 

This   chapter   emphasizes   the   evolution,   organizational 

structure  and  internal  control  process  used  by  the  shipyard. 

Individual  internal  control  case  studies  are  analyzed  in 

Chapter  VI. 
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B.   AN  EVOLUTION  OF  ONE  SHIPYARD'S  INTERNAL  CONTROL 
PROGRAM 

As  discussed  in  Chapter  IV,  the  Navy  did  not  officially 
start  its  development  of  an  internal  control  program  until 
SECNAV  issued  the  first  Navy  guidance  in  July  1983.  The 
Naval  Shipyard  that  was  studied  had  no  records  concerning  a 
formal  internal  control  program  prior  to  that  time  as 
confirmed  by  the  Director  of  Internal  Review.  While  no 
formal  internal  control  program  existed  prior  to  1983,  all 
of  the  nine  shipyard  employees  interviewed  acknowledged  that 
internal  controls  were  part  of  their  existing  accounting  and 
nonfinancial  systems.  Personnel  who  were  employed  at  the 
shipyard  prior  to  FMFIA's  passage  attributed  the  responsi- 
bility for  monitoring  the  use  of  internal  controls 
exclusively  to  the  internal  review  staff.  The  common  belief 
of  all  the  line  managers  interviewed  was  that  breakdowns  in 
internal  controls  were  noted  only  when  discovered  by  audits 
or  inspections  or  when  circumstances  in  an  operation 
required  management's  attention.  Prior  to  July  1983, 
according  to  the  Director  of  Internal  Review,  internal 
controls  were  only  considered  as  a  management  tool  in 
response  to  problems.  There  was  no  formal  mechanism  or 
requirement  that  caused  line  managers  to  anticipate  the 
possibility  of  fraud,  waste  or  abuse.  The  Director  of 
Internal  Review  said  the  anticipation  of  potential  problems 
was  a  strategic  planning  function  done  mostly  by  top  level 
management  during  budget  formulation  and  execution. 
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Through  interviews  with  the  Director  of  Internal  Review 
and  the  Internal  Control  Program  Coordinator,  along  with 
examination  of  historical  records,  it  was  determined  that 
the  shipyard  commander,  in  response  to  the  July  1983  SECNAV 
guidance,  did  at  least  three  things  to  implement  an  internal 
control  program.  First,  he  assigned  responsibility  for  the 
internal  control  program  to  personnel  in  the  Management 
Engineering  Division.  Duties  were  to  be  performed  on  a 
collateral  duty  basis.  There  were  no  other  shipyard  full 
time  personnel  or  assets  assigned  to  this  function.  The 
second  accomplishment  by  the  shipyard  commander  was  to 
present  a  numerical  summary  of  the  corrective  actions  taken 
in  response  to  weaknesses  identified  by  vulnerability 
assessments  and  to  provide  a  letter  describing  program 
implementation  as  an  input  to  SECNAV" s  certification  and 
report  to  Congress  in  December  of  1983.  Verification  of  the 
1983  input  was  possible  only  through  a  verbal  confirmation 
from  personnel  performing  those  duties  because  no  records 
from  that  period  could  be  located.  The  third  and  final 
action  taken  in  198  3  by  the  shipyard  commander  was  to 
require  department  heads  to  have  their  line  managers  support 
the  program's  identified  objectives.  In  1984,  there  were 
two  advancements  in  the  internal  control  program.  As 
described  by  the  Director  of  Internal  Review,  the 
Management  Engineering  Branch  Director  had  obtained  enough 
cooperation   from   line   managers   to   complete   the   first 
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management  control  reviews  based  on  the  1983  vulnerability 
assessments  and  to  report  semiannually  on  schedule  as 
required.  Confirmation  for  those  actions  was  once  again 
obtained  only  verbally  because  local  files  contained  no 
documentation  covering  the  internal  control  program  for  any 
part  of  1984. 

As  noted  in  the  last  chapter,  GAO  and  the  NAVAUDSVC  had 
reviewed  DOD's  Internal  Control  Program  after  the  first  year 
following  FMFIA's  passage.  Those  reports  noted  a  lack  of 
training  and  documentation  concerning  DOD's  implementation 
of  the  internal  control  program.  A  lack  of  any  records  on 
the  actions  taken  by  the  shipyard  parallels  those  findings. 

During  1985,  the  execution  of  the  internal  control 
program  remained  under  the  guidance  of  the  Management 
Engineering  Branch.  The  Director  of  Internal  Review 
recalled  that  an  audit  of  the  internal  control  program 
during  1985  revealed  that  the  program  operated  in  the  same 
manner  as  it  had  during  1984.  He  stated  that  from  his 
perspective  neither  the  quantity  nor  quality  of  actions 
concerning  the  internal  control  program  had  changed  from  the 
previous  year's  effort.  However,  there  was  one  action  taken 
in  1985  by  the  shipyard  commander  concerning  the  Director  of 
Internal  Review  and  his  interface  with  the  internal  control 
program.  The  Internal  Review  function  was  separated  from 
the  Comptroller's  Department.  It  was  after  this  action  that 
the  Director  of  Internal  Review  said  his  staff's  actions 
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concerning  the  audit  of  the  internal  control  program  became 
more  formal  and  extensive.  The  Director  of  Internal 
Review's  records  concerning  the  shipyard's  implementation 
and  execution  begin  with  the  shipyard  commander's  December 
1985  report  to  NAVSEA.  This  report  was  the  same  semiannual 
report  that  was  to  be  forwarded  up  the  chain  of  command  so 
that  the  SECDEF  could  report  to  Congress  which  event  cycles 
required  internal  controls  and  what  actions  the  shipyard 
took  to  implement  needed  internal  controls.  Also,  this 
report  contained  the  shipyard  commander's  annual  certifica- 
tion statement  to  the  CNO  for  inclusion  in  the  SECDEF' s 
report  to  Congress  on  the  adequacy  of  internal  controls 
within  the  DOD. 

As  discussed  in  Chapter  IV,  GAO  and  NAVAUDSVC  completed 
their  reviews  of  DOD's  implementation  efforts  in  late  1984. 
According  to  the  NAVSEA  Internal  Control  Coordinator,  NAVSEA 
in  1985  organized  and  began  to  execute  quality  assurance 
checks  on  its  shipyards '  internal  control  programs  in 
response  to  the  GAO  and  NAVAUDSVC  reviews.  The  NAVSEA 
Internal  Control  Coordinator  also  stated  that  NAVSEA 's 
quality  assurance  efforts  began  to  affect  the  shipyard  under 
study  in  January  of  1986.  Continuing  the  historical 
description,  the  NAVSEA  Internal  Control  Coordinator  stated 
she  visited  the  shipyard  and  made  three  recommendations  to 
improve  the  program's  performance.  The  first  recommendation 
was  that  the  shipyard  should  start  retaining  documentation 
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on  actions  taken  concerning  the  internal  control  program. 
To  aid  the  shipyard  in  this  task,  NAVSEA's  Internal  Control 
Coordinator  delivered  the  SECDEF  1984  Internal  Control 
Course  and  conducted  on-site  training  for  the  internal 
review  staff  and  the  Management  Engineering  Branch 
personnel.  The  last  two  recommendations  were  that  the 
Internal  Review  Director  be  given  responsibility  for  the 
internal  control  program  and  that  one  person  be  assigned  as 
a  full  time  coordinator  for  the  program. 

The  Director  of  Internal  Review  confirmed  that  the 
shipyard  commander  followed  all  of  those  recommendations 
within  one  month's  time.  Shortly  after  this  change  in  local 
policy,  the  following  actions  were  taken: 

(1)  The   shipyard   performed   detailed   vulnerability 
assessments  on  238  assessable  units, 

(2)  The  shipyard  assigned  17  collateral-duty  Departmental 
Internal  Control  Coordinators, 

(3)  The  shipyard  drafted  a  shipyard  instruction  on  the 
internal  control  program, 

(4)  The  shipyard  conducted  six  complex  management  control 
reviews, 

(5)  The   shipyard   conducted  detailed  training   on  the 
Internal  Control  Course. 

(6)  The  shipyard  implemented  15  new  internal  controls. 
According  to  the  Director  of  Internal  Review,  the  actions 
taken  in  1986  should  be  considered  the  first  actions  to 
approach  the  requirements  of  FMFIA,  because  it  was  during 
1986  that  the  shipyard  completely  employed  all  seven  steps 
involved  in  the  internal  control  process.   In  his  words, 
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Without  the  proper  documentation  and  the  line  manager's 
involvement  in  the  internal  control  program,  it  is 
impossible  in  good  faith  to  state  that  internal  controls 
are  adequate. 

The  Director  of  Internal  Review  stated  that  the 
improvement  and  expansion  of  the  internal  control  program 
continued  in  1987  with  nine  additional  management  control 
reviews  being  completed.  The  researcher's  review  of  the 
internal  control  program  records  confirmed  that  all  reports 
required  by  NAVSEA  Instruction  5200.13  had  been  retained  and 
forwarded  to  NAVSEA.  The  researcher  examined  all  retained 
records  concerning  actions  taken  since  January  1986  and 
confirmed  the  Director  of  Internal  Review's  statement  that 
there  were  now  adequate  records  for  audit  and  review  by 
concerned  parties  external  to  the  shipyard.  The  NAVAUDSVC 
auditor  also  confirmed  that  the  shipyard  was  retaining 
better  documentation  after  the  1986  reorganization.  During 
the  records  review,  the  researcher  noted  that  1987  was  the 
first  year  to  have  an  annual  internal  control  program 
schedule  on  file.  Further  discussions  with  line  managers 
revealed  that  the  Internal  Control  Coordinator  followed  the 
schedule  as  part  of  the  normal  routine  for  the  internal 
control  program. 

The  research  for  this  thesis  concluded  in  March  of  1988. 
Through  that  period  the  researcher  was  able  to  determine 
through  interviews  that  all  previous  actions  that  were 
cyclical  with  regard  to  the  internal  control  program  were 
continuing.   Also,  the  researcher  found  out  from  interviews 
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that  the  new  improvements  planned  for  the  remainder  of  1988 
concerned  a  new  schedule  for  vulnerability  assessments, 
issuance  of  a  drafted  internal  control  program  instruction 
and  simplification  of  the  supporting  paperwork  required  by 
the  Navy's  Internal  Control  Program. 

C.   THE  SHIPYARD'S  INTERNAL  CONTROL  PROGRAM  ORGANIZATION 

As  discussed  earlier,  local  commanders  are  required  to 
implement  an  effective  system  for  monitoring  and  ensuring 
that  good  internal  controls  are  used  within  their 
organizations.  The  shipyard  commander  has  the  overall 
responsibility  for  his  internal  control  program.  To  support 
him,  there  are  organizations  internal  and  external  to  the 
shipyard  that  assist  in  the  execution  of  the  requirements  of 
FMFIA.  Internally,  according  to  the  local  shipyard  draft 
instruction  and  NAVSEA  Instruction  5200.13,  he  is  supported 
by  the  Internal  Review  Department,  the  Internal  Control 
Program  Coordinator,  the  Director  of  Industrial  Relations, 
department  heads  and  line  managers  [Ref.  22].  Externally, 
he  is  assisted  by  NAVAUDSVC's  local  shipyard  on-site 
auditors  [Ref.  3]. 

The  principal  working  relationship  necessary  for  the 
internal  control  program  to  function  effectively  is  the 
interface  between  the  shipyard  commander  and  the  Director  of 
Internal  Review  [Ref.  22].  According  to  the  Director  of 
Internal  Review,  that  interface  is  both  frequent  and 
mutually  supportive.   When  the  shipyard  commander  assigned 
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the  Director  of  Internal  Review  the  responsibility  for 
program  execution,  he  gave  the  Director  a  full  time  civil 
servant,  an  increased  budget  and  the  authority  to  develop 
policy  for  the  shipyard's  overall  program  execution.  When 
asked  by  the  researcher,  the  Director  of  Internal  Review 
emphasized  that  the  lines  of  communication  between  the 
shipyard  commander  and  himself  were  both  open  and  direct. 

The  next  participant  in  the  program  is  the  Director  of 
Industrial  Relations.  He  is  designated  to  assist  managers 
and  supervisors  in  developing  Internal  Control  elements 
within  employee  performance  appraisals.  That  action,  as 
stated  by  the  Director  of  Internal  Review,  is  intended  to 
provide  the  incentive  for  all  civilian  employees  to 
cooperate  with  the  requirements  of  the  program. 

During  the  researcher's  interview  with  the  Internal 
Control  Program  Coordinator,  the  facts  that  the  Internal 
Control  Program  Coordinator  was  hired  in  1986  and  is  a 
Management  Analyst,  GS-12,  indicated  when  and  what 
capabilities  the  shipyard  commander  agreed  were  required  to 
manage  the  internal  control  program.  As  obtained  from  the 
shipyard's  organizational  chart,  the  Internal  Control 
Program  Coordinator  was  assigned  to  the  Director  of  Internal 
Review.  The  Director  of  Internal  Review  stated  that  the 
Internal  Control  Program  Coordinator  is  provided  support 
from  the  Internal  Review  Staff  for  the  purposes  of 
scheduling,  auditing  and  report  compilation.   According  to 
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the  Internal  Control  Program  Coordinator's  position 
description,  he  is  assigned  the  primary  responsibility  for 
coordinating  the  internal  control  process.  Although 
responsible  for  coordination,  the  Internal  Control  Program 
Coordinator  does  not  interface  directly  with  department 
heads.  Coordination  for  the  program  at  that  organizational 
level  is  between  department  heads  and  the  Director  of 
Internal  Review.  In  the  draft  internal  control  program 
instruction  and  as  described  by  the  Director  of  Internal 
Review,  department  heads  are  required  by  the  shipyard 
commander  to  appoint  departmental  representatives  to  assist 
the  Internal  Control  Program  Coordinator  and  to  ensure  that 
the  department  heads  take  an  active  interest  in  the  internal 
control  process.  As  part  of  that  process,  department  heads 
encourage  and  evaluate  their  line  managers'  cooperation  with 
both  the  Departmental  Internal  Control  Coordinator  and  the 
Internal  Control  Program  Coordinator  [Ref.  22]. 

At  the  line  manager's  level  of  authority,  internal 
controls  are  evaluated,  developed,  improved  and  sometimes 
eliminated  so  as  to  prevent  fraud,  waste  and  abuse.  It  is 
the  line  managers  who  should  provide  the  primary  efforts 
necessary  to  ensure  the  program's  success  or  failure.  [Ref. 
5:p.  7] 

All  the  relationships  described  above  are  internal  to 
the  shipyard's  organization.  An  organization  external  to 
the  shipyard  is  the  NAVAUDSVC.   The  NAVAUDSVC  has  auditors 
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permanently  stationed  at  all  eight  Naval  Shipyards,  and 
perform  audits  on  a  continuing  basis.  As  part  of  their 
responsibilities,  auditors  evaluate  the  effectiveness  of 
internal  controls.  As  those  evaluations  take  place,  the 
auditor  provides  recommendations  to  shipyard  personnel  on 
how  systems  or  operations  can  be  improved.  Recommendations 
from  the  auditors  assist  the  local  line  manager  in 
developing  the  correct  control  to  fix  actual  or  potential 
problems.  According  to  the  NAVAUDSVC  auditor  interviewed, 
the  Auditor  General  of  the  Navy  has  a  policy  that  the  Navy's 
Internal  Control  Program  is  to  be  an  integral  part  of  their 
daily  work. 

In  summary,  the  shipyard's  organization  executes  its 
program  by  delegating  authority  down  to  the  Director  of 
Internal  Review  who  acts  both  laterally  and  vertically  to 
execute  the  program.  The  Director  of  Internal  Review's 
principal  focal  point  for  implementation  is  the  Internal 
Control  Program  Coordinator.  The  Internal  Control  Program 
Coordinator  then  accesses  line  managers  through  departmental 
internal  control  program  coordinators.  The  burden  for 
taking  corrective  action  rests  primarily  with  the  line 
managers  who  are  expected  to  coordinate  their  actions  with 
the  overall  internal  control  program  [Ref.  22:  end.  3,  p. 
4]. 
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D.   HOW  THE  SHIPYARD  USES  THE  INTERNAL  CONTROL  PROCESS 

In  Chapter  IV,  a  seven  step  process  was  identified  as 
the  basic  structure  around  which  shipyards  should  form  their 
internal  control  program.  The  shipyard  in  this  study  was 
found  by  the  researcher  to  be  utilizing  that  basic  process. 
In  this  section,  the  shipyard's  execution  of  that  process  is 
expanded  upon  to  show  how  that  process  was  tailored  to  fit 
the  needs  and  desires  of  the  shipyard  commander.  The 
discussion  that  follows  in  this  section  was  developed  by  the 
researcher  from  interviews  with  the  Director  of  Internal 
Review  and  the  Internal  Control  Program  Coordinator. 

The  first  step  in  the  internal  control  process  was  the 
organizing  stage.  In  most  cases  this  step  should  have  been 
a  one-time  evolution  if  the  internal  control  program  was 
meeting  the  basic  requirements  identified  in  NAVSEA 
Instruction  5200.13  for  an  effective  internal  control 
program.  But,  the  shipyard  was  required  to  undertake  that 
step  twice,  once  in  198  3  when  the  program  started  and  once 
again  in  1986  after  NAVSEA  suggested  that  the  internal 
control  program  be  improved.  The  reorganization  of  the 
internal  control  program  moved  the  program's  responsibili- 
ties from  the  Management  Engineering  Branch  to  the  Director 
of  Internal  Review.  Also,  reorganization  provided  the  first 
opportunity  to  conduct  necessary  training  through  the  use  of 
the  Navy's  Internal  Control  Course.   After  conducting  the 
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training,  the  shipyard  was  able  to  start  maintaining  records 
in  accordance  with  NAVSEA  Instruction  52  00.13. 

The  next  step  in  the  internal  control  process  was  the 
segmentation  of  the  shipyard  into  assessable  units.  That 
step  was  accomplished  on  at  least  three  separate  occasions, 
according  to  the  Director  of  Internal  Review,  first  in  1984, 
again  in  1986  and  finally  again  in  1987.  Normally,  the 
segmentation  of  the  activity  should  be  required  only  once. 
But  in  this  case  it  occurred  three  times  because,  with  each 
successive  attempt  the  segmentation  became  more  detailed. 
These  facts  were  verified  by  the  researcher's  examination  of 
the  records  retained  after  1986.  Those  records  contain 
correspondence  between  the  shipyard  commander  and  NAVSEA 
that  explained  the  three  attempts  the  shipyard  made  at 
updating  its  assessable  units  inventory.  The  Director  of 
Internal  Review  explained  to  the  researcher  that  he  had 
found,  that  through  greater  segmentation  of  the  assessable 
units,  more  line  managers  became  involved  in  the  program. 
Greater  segmentation  meant  that,  instead  of  line  managers 
looking  at  a  large  event  cycle,  such  as  the  supply  function 
for  the  shipyard,  they  were  required  to  break  it  down  into 
smaller  event  cylces.  Examples  of  smaller  supply  functions 
are  event  cycles  like  the  material  recieving  process,  the 
imprest  fund  process,  the  open  purchase  process.  It  was  the 
Director  of  Internal  Review's  contention  that  as  segmenta- 
tion increased,   greater  numbers  of  line  managers  became 


60 


involved  in  the  management  control  review  process.  With 
more  line  managers  involved,  event  cycles  could  be  more 
closely  assessed  for  weaknesses  and  then  those  event  cycles 
could  be  more  easily  corrected. 

Step  three,  the  vulnerability  assessment  step,  had 
occurred  twice  since  the  program's  inception.  In  1984,  only 
broad  areas  were  assessed  and  only  a  handful  of  event  cycles 
were  found  to  have  material  weaknesses,  according  to  the 
Director  of  Internal  Review.  After  the  1986  reassessment, 
greater  potential  errors  were  discovered,  as  documented  in 
the  shipyard's  semiannual  report  to  NAVSEA.  This  increase 
in  potential  errors  was  not  due  to  any  specific  decline  in 
shipyard's  performance  but,  according  to  the  Director  of 
Internal  Review,  the  increase  was  caused  by  the  improved 
efforts  in  assessing  the  segmented  areas.  After  the  1986 
vulnerability  assessments  and  early  in  1987,  the  shipyard 
commander  issued  a  local  notice  advising  line  managers  that 
in  addition  to  the  those  assessments,  potential  future 
management  control  reviews  would  also  be  scheduled  based  on 
four  additional  inputs  to  the  annual  internal  control 
program  schedule.  These  additional  inputs,  according  the 
shipyard  commander's  notice,  were  shipyard  commander 
requests,  findings  from  internal  reviews,  findings  from 
NAVAUDSVC  audit  reports  and  CNO  interest  items. 

The  fourth  step  in  the  internal  control  process  was 
developing  plans  for  subsequent  actions.   According  to  the 
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Internal  Control  Program  Coordinator,  the  shipyard  performed 
this  step  on  a  semiannual  basis  starting  in  January  of  1987. 
Prior  to  each  semiannual  report  to  NAVSEA,  the  Internal 
Control  Program  Coordinator  said  he  updated  the  shipyard 
commander's  annual  internal  control  program  schedule.  He 
considered  the  following  questions  about  the  local  program: 

(1)  How   many   vulnerability   assessments   require   a 
management  control  review? 

(2)  How  many  audit  findings  need  a  management  control 
review? 

(3)  How  many  new  CNO  interest  items  need  a  management 
control  review? 

(4)  What  previous  actions   identified  by  a  management 
control  review  need  to  be  completed? 

(5)  When  should  training  for  departmental  coordinators  be 
conducted? 

(6)  When  should  line  managers  conduct  management  control 
reviews? 

(7)  When  should  the  Internal  Review  Staff  conduct  audits 
of  management  control  reviews? 

During  this  scheduling  and  planning  process,  the  Internal 

Control  Program  Coordinator  explained,  he  also  conducted  his 

follow-up  of  the  internal  control  program.   The  researcher 

checked  on  this  planning  and  follow-up  process  by  inquiry  of 

the  Director  of  Internal  Review  and  the  six  line  managers 

interviewed  during  the  field  work  conducted  in  March  of 

1988. 

Step  five  of  the   internal  control  process  was  the 

execution  of  management  control  reviews.   At  the  shipyard, 

this  step  was  performed  on  a  continuing  basis  and  was  not  an 
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evolution  limited  to  a  particular  point  in  time.  The  reason 
for  extending  the  process  was  because  complexity  of 
evaluating,  designing  and  implementing  new  internal  controls 
required  managers  to  spread  the  workload  over  time  to  fit 
their  schedules,  according  to  the  Internal  Control  Program 
Coordinator.  He  would  interface  with  line  managers  daily  in 
some  cases  to  help  with  the  management  control  reviews.  The 
line  managers  interviewed  by  the  researcher  confirmed  that 
practice. 

Step  six  in  the  internal  control  process  concerned  the 
reports  and  annual  certification  forwarded  to  NAVSEA.  The 
files  on  hand  after  1986  were  complete  and  detailed  when 
compared  by  the  researcher  to  the  standards  outlined  in 
NAVSEA  Instruction  5200.13  [Ref.  22]. 

Step  seven  is  the  follow-up  on  corrective  actions.  The 
Internal  Control  Program  Coordinator  said  he  used  the 
semiannual  reports  as  his  basis  for  conducting  follow-ups 
and  asking  the  Internal  Review  Staff  to  review  management 
control  reviews  completed  during  the  preceding  six  month 
period.  As  already  mentioned,  follow-up  occurred  prior  to 
each  semiannual  report  and  involved  the  Coordinator, 
Internal  Review  Staff,  line  managers  and,  in  some  cases, 
both  the  Director  of  Internal  Review  and  department  heads. 
While  the  Director  of  Internal  Review  and  the  Coordinator 
insisted  that  follow-up  actions  were  thorough,  there  was  at 
least  one  case  found  during  the  field  work  where  follow-up 
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was  not  aggressive  enough  to  prevent  the  automated  data 
processing  functions  from  falling  behind  in  taking 
corrective   actions   by   at    least   one   year. 
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VI.   AN  EVALUATION  OF  THE  SHIPYARD'S 
INTERNAL  CONTROL  PROGRAM 


A.   OVERVIEW 

The  primary  purpose  of  this  study  is  to  examine  the 
implementation  and  execution  of  the  Navy's  Internal  Control 
Program  at  the  local  activity  level.  Chapter  V  described 
the  implementation  and  some  of  the  unique  circumstances  that 
caused  the  shipyard  to  develop  its  internal  control  program. 
This  chapter  describes  and  evaluates  the  execution  of  the 
internal  control  program.  A  combination  of  three  approaches 
was  used  to  examine  the  execution  of  the  shipyard's  program. 

Approach  number  one  was  designed  to  obtain  impressions 
from  four  key  participants  who  had  either  oversight  or 
management  responsibilities.  To  obtain  this  general 
impression,  two  of  the  persons  interviewed  were  external  to 
the  shipyard's  organization  and  two  of  the  persons 
interviewed  were  internal  to  the  shipyard's  organization. 
The  two  external  persons  interviewed  were  the  on-site  Naval 
Audit  Service  Auditor  and  the  NAVSEA  Internal  Control 
Coordinator.  The  two  internal  persons  were  the  Director  of 
Internal  Review  and  the  shipyard  Internal  Control  Program 
Coordinator. 

Approach  number  two  for  evaluating  the  internal  control 
program's  execution  was  to  compare  the  requirements 
mandated  by  NAVSEA  against  the  actions  taken  by  the  shipyard 
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for  program  implementation.  The  third  and  final  approach 
was  to  describe  six  case  studies  of  specific  examples  where 
internal  controls  were  added  to  prevent  potential  errors  or 
correct  actual  problems.  The  descriptions  contain 
evaluations  of  the  use  of  the  internal  control  process  and 
point  out  where  the  controls  succeeded  or  failed. 

All  of  the  results  identified  within  this  chapter  were 
obtained  through  an  on-site  examination  of  operations  or 
records  and  by  conducting  person-to-person  interviews. 
Facts  and  figures  were  obtained  from  the  NIFRS  report,  a 
monthly  summary  of  all  eight  Naval  Shipyard's  financial  and 
management  accounting  reports,  and  from  the  shipyard's 
historical  records  retained  since  1982. 

B.   FOUR  PERSPECTIVES  ON  HOW  THE  SHIPYARD  EXECUTES  THE 
INTERNAL  CONTROL  PROGRAM 

1 .   NAVSEA's  Internal  Control  Coordinator  Comments 

The  NAVSEA  Internal  Control  Coordinator's  comments 

apply  to  all  the  Naval  Shipyards  and  do  not  reflect  only  the 

circumstances  existing  within  the  one  shipyard  studied. 

NAVSEA's   program   coordinator   said   that   the   shipyards' 

internal  control  programs  are  supportive  of  the  overall 

goals  set  by  NAVSEA.    However,  the  implementation  of  the 

program  has  been  slower  than  NAVSEA  initially  expected. 

According  to  the  NAVSEA  Internal  Control  Coordinator,  the 

most  beneficial   accomplishment  of  the   internal   control 

program  is  that  it  lessens  the  burden  on  the  shipyard 
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internal  review  staffs  for  detecting  potential  errors  in  all 
shipyard  functions.  The  program  has  put  that  responsibility 
on  the  line  managers  and  has  increased  both  the  coverage  and 
the  freguency  of  management  control  reviews.  While  NAVSEA's 
Coordinator  said  that  the  program  is  beneficial,  she  notes 
that  the  program  is  at  times  far  too  paperwork  intensive. 
Because  of  the  complexity  of  maintaining  records  and 
documenting  actions  taken,  there  is  a  reluctance  by  the 
shipyard  personnel  to  use  the  internal  control  process 
extensively. 

One  of  the  more  important  aspects  of  a  shipyard's 
internal  control  program  is  the  freedom  to  investigate 
potential  problems  by  local  management  and  plan  the 
necessary  corrective  actions.  The  NAVSEA  Internal  Control 
Coordinator  said  that  in  some  instances,  when  shipyard 
commanders  had  identified  potential  or  actual  problems  in 
their  semiannual  reports,  those  reports  became  a  basis  for 
criticizing  shipyard  operations.  The  identification  of 
problems  in  too  great  a  detail  had  invited  micro-management 
from  above  the  shipyard  commander's  level  of  authority.  The 
NAVSEA  Internal  Control  Coordinator  said  that,  although  that 
practice  had  only  happened  in  one  or  two  isolated  cases 
during  the  early  years  of  the  Program's  implementation,  the 
impact  of  that  practice  caused  greater  care  to  be  taken  by 
shipyard  commanders  as  to  how  and  what  problems  were 
identified  to  higher  authorities. 
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The  NAVSEA  Internal  Control  Program  Coordinator 
explained  that  the  shipyard  commanders  increased  concern 
over  the  reporting  requirement  had  two  specific  beneficial 
results.  First,  it  eliminated  the  attempt  by  shipyard 
commanders  to  identify  small  or  insignificant  details  that 
should  have  been  handled  locally.  Second,  it  encouraged 
shipyard  commanders  to  scrutinize  more  closely  the  content 
of  the  actions  being  submitted  by  line  managers  for  the 
semiannual  reports. 

2 .   NAVAUDSVC  Auditor  Comments 

The  second  external  impression  of  the  shipyard's 
execution  of  internal  controls  was  obtained  from  an 
interview  with  the  shipyard's  on-site  NAVAUDSVC  Auditor. 
This  auditor  had  an  in-depth  knowledge  of  this  shipyard 
because  he  had  been  assigned  to  it  since  the  passage  of 
FMFIA.  His  tenure  at  that  shipyard  gave  him  the  ability  to 
evaluate  the  program's  implementation  over  its  entire 
history. 

From  the  auditors 's  perspective,  the  program  has 
several  benefits  and  at  least  two  major  weaknesses.  The 
benefits  are  these: 

(1)  Shipyard  personnel  and  line  managers  support  the 
internal  control  program. 

(2)  Internal  controls  are  more  widely  used  to  prevent 
potential  errors. 

(3)  The  shipyard's  internal  review  staff  and  the 
NAVAUDSVC  auditor  more  frequently  coordinated  their 
efforts  concerning  the  evaluation  of  internal 
controls  in  audits. 
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(4)  The  most  significant  benefit  is  that  the  Internal 
Control  Program  causes  shipyard  managers  to  become 
more  aware  of  their  functions  and  how  they  operate 
with  regard  to  potential  or  real  material  weaknesses. 

While   the   NAVAUDSVC   auditor   sees   several   benefits,   he 

believes  that  the  program  is  not  as  successful  as  it  should 

be  at  combating  fraud,  waste  and  abuse.   There  are  currently 

two  significant  problems.   The  first  is  that  local  managers 

focus  too  much  of  their  management  control  review  effort  on 

reviews  specifically  mandated  by  the  CNO.    The  second  is 

that  the  follow-up  efforts  on  newly  implemented  controls  are 

insufficient  in  most  cases  to  make  long  lasting  changes. 

The  NAVAUDSVC  auditor  believes  that,  if  the  follow-up  aspect 

were  emphasized,  more  the  program  could  be  a  more  effective 

management  tool. 

Having  presented  these  two  external  views  on  the 
shipyard's   internal   control   program,   two   internal 
perspectives   are   also   provided   to   balance   the   overall 
impression  about  how  the  program  was  executed. 
3 .   Director  of  Internal  Review  Comments 

The  first  internal  perspective  was  obtained  from  the 
Director  of  Internal  Review.  His  general  comments  indicate 
that  the  program's  biggest  problems  are  twofold.  The  first 
problem  is  that  the  process  requires  too  much  paperwork, 
which  tends  to  inhibit  responsiveness  from  the  line 
managers.  Secondly,  the  shipyard  is  highly  decentralized 
and  production-oriented.  Both  circumstances  work  against 
the  idea  of  a  centrally  managed  internal  control  process. 
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Because  of  the  decentralized  nature  of  the  shipyard's 
organization,  attempts  at  improving  event  cycles  that  cross 
lines  of  authority  are  far  too  difficult  and  time  consuming 
for  a  single  line  manager.  To  provide  the  coordination 
necessary  to  correct  the  complex  event  cycle's  problems,  one 
or  more  line  managers  would  need  to  be  taken  away  from  their 
primary  production  goals.  When  the  internal  control  program 
runs  counter  to  those  production  goals,  line  managers  accord 
compliance  with  the  program  a  lower  priority  for  accomplish- 
ment. Although  the  Director  of  Internal  Review  recognizes 
that  situation,  he  summarizes  command  support  to  overcome 
that  situation  as  follows: 

The  Office  of  Internal  Review  has  a  very  supportive 
relationship  with  the  current  shipyard  commander.  The 
shipyard  commander  has  depended  on  the  Internal  Review 
Organization  for  being  the  lead  in  the  internal  controls 
area  and  has  provided  the  necessary  tools  and  muscle  to 
achieve  this  goal.  As  in  any  relationship,  this  remains  a 
two  way  street.  He  has  recognized  the  positive  actions 
taken  by  the  participants  in  this  program  by  giving  us  and 
them  more  responsibility. 

The   Director   of   Internal   Review   stated   it   was   his 

responsibility   to   monitor   the   overall   efforts   of   the 

internal  control  program  and  to  maximize  its  use.   He  noted 

that  the  shipyard's  internal  control  program  was  to  be 

conducted   by   the   line  managers   without   providing   them 

additional  time  or  personnel  assets.   The  costs  of  executing 

the  Program  were  absorbed  within  the  shipyard's  overhead 

costs. 
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4 .   Internal  Control  Program  Coordinator  Comments 

As  a  final  perspective,  the  views  of  the  Internal 
Control  Program  Coordinator,  who  is  the  manager  most  closely 
associated  with  the  internal  control  program,  stated  that 
since  1986  the  shipyard  has  made  significant  improvements  in 
documentation,  training  and  control.  Those  accomplishments 
were  made  possible  only  through  the  strong  support  given  by 
the  shipyard  commander  and  the  Director  of  Internal  Review. 
Line  managers  are  becoming  more  effective  at  identifying 
problems  and  designing  controls.  However,  two  areas  still 
require  further  improvements  to  make  the  program  manageable. 
The  first  area  concerns  further  attempts  to  streamline  the 
paperwork  involved  in  the  process.  The  second  area  concerns 
the  need  for  a  more  effective  follow-up  procedure.  The 
Internal  Control  Program  Coordinator  believes  that  it  is 
most  difficult  to  convince  managers  that  the  process  is  only 
effective  if  it  is  coupled  with  a  strong  follow-up 
procedure. 

C.   HOW  THE  SHIPYARD  MET  THE  REQUIREMENTS  OF  THE  NAVY'S 
INTERNAL  CONTROL  PROGRAM 

Approach  number  two  compares  the  shipyard's  execution  of 

the  internal  control  program  with  the  requirements  mandated 

by  SECNAV,  CNO  and  NAVSEA.   As  may  be  recalled  from  Chapter 

IV. B. 3,   there  are  at  least  six  basic  requirements  that 

should  be  followed  in  executing  a  good  internal  control 

program  [Ref.  22].    The  following  descriptions  provide  a 
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comparative   review   of   how   the   shipyard   met   those 
commitments . 

1 .  Requirement  Number  One 

The  shipyard  is  to  designate  an  Internal  Control 
Program  Coordinator.  The  shipyard  performed  this  function 
twice,  once  in  1983  on  a  collateral  duty  basis  and  again 
during  the  1986  reorganization  of  the  program. 

2 .  Requirement  Number  Two 

The  shipyard  is  to  ensure  that  an  internal  control 
system  is  implemented  and  functioning.  This  requirement  was 
accomplished  by  drafting  a  shipyard  internal  control  program 
instruction  and  by  continuously  performing  the  seven  steps 
of  the  internal  control  process  identified  in  Chapter  IV. E. 

3 .  Requirement  Number  Three 

The  shipyard  is  to  ensure  that  both  military  and 
civilian  personnel  have  their  responsibilities  regarding 
internal  controls  documented  within  their  evaluations  and 
performance  appraisals.  According  to  the  December  31,  1985 
report  to  NAVSEA,  the  shipyard  was  achieving  this  goal  for 
only  36  percent  of  its  line  managers.  The  Director  of 
Internal  Review  knew  of  no  further  improvement  concerning 
this  requirement  since  that  1985  report.  Subsequent  audits 
of  the  Program  confirmed  the  Director's  belief  about  the 
shipyard's  status  with  respect  to  this  requirement. 
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4 .  Requirement  Number  Four 

The  shipyard  is  to  ensure  that  vulnerability 
assessments,  management  control  reviews  and  other 
appropriate  management  actions  are  performed  and  reported. 
A  review  of  the  historical  records  revealed  that  in  the 
early  years  of  the  program  those  efforts  were  minimal. 
Prior  to  1986  the  shipyard  conducted  approximately  37 
vulnerability  assessments  and  only  24  management  control 
reviews.  After  1986,  the  shipyard  conducted  approximately 
250  vulnerability  assessments  and  77  management  control 
reviews. 

5 .  Requirement  Number  Five 

The  shipyard  is  to  maintain  documentation  on  all 
vulnerability  assessments,  management  control  reviews,  other 
management  actions  and  corrective  actions.  All  the  required 
documentation  was  being  maintained  after  the  1986 
reorganization.  The  additional  management  actions  included 
correspondence  on  required  reports,  annual  schedules, 
periodic  training,  updates  on  actions  taken  and  historical 
files  of  vulnerability  assessments  and  management  control 
reviews. 

6 .  Requirement  Number  Six 

The  shipyard  is  to  establish  quality  control  to 
ensure  that  adequate  internal  controls  are  in  place  to 
prevent  loss  or  unauthorized  access  to  resources,  prevent 
errors   in   reports   and   information,   prevent   illegal   or 
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unethical  acts  and  to  prevent  inefficiencies  and  adverse 
public  opinion.  Under  this  requirement,  the  shipyard's  line 
managers  believed  that  the  Internal  Review  Staff  and 
Internal  Control  Program  Coordinator  were  to  perform  the 
quality  control  function.  However,  this  quality  control 
review  requirement  was  designated  by  NAVSEA  to  be  a 
shipyard-wide  requirement  and  not  an  internal  review 
requirement.  The  internal  review  function  was  given  its  own 
detailed  responsibilities  to  evaluate  overall  program 
compliance,  to  audit  internal  control  documentation  and 
systems  and  to  provide  technical  assistance  to  managers 
conducting  vulnerability  assessments  and  management  control 
reviews  [Ref.  22].  At  the  time  of  this  field  work,  there 
was  no  internal  procedure  that  required  managers  to  follow- 
up  on  internal  control  actions  taken.  While  interviewing 
the  Director  of  Internal  Review,  it  was  discovered  that 
there  were  no  surprise  audits  or  spot  checks  performed  on  an 
unannounced  basis  to  encourage  compliance  with  the  newly 
implemented  controls. 

D.   SIX  EXAMPLES  OF  HOW  THE  INTERNAL  CONTROL  PROGRAM 

WAS  USED  TO  MAKE  A  DIFFERENCE  IN  SHIPYARD  OPERATIONS 

1.   Case  Study  Format 

The  third  phase  of  this  examination  of  the  execution 

of  a  shipyard's  internal  control  program  uses  six  case 

studies.    All  information  in  these  six  case  studies  was 

obtained  through   on-site   observation  or  examination  of 
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records,  facilities  and  personnel  preforming  the  functions 
described.  Accounting  data  cited  were  obtained  from  the 
February  1988  NIFRS  report  and  locally  prepared  operating 
statements.  Operating  procedures  evaluated  were  matched 
against  local  instructions  governing  those  procedures. 
Since  the  exact  shipyard  selected  for  examination  and 
evaluation  is  not  specifically  identified  to  maintain 
confidentiality,  local  instructions  are  not  cited  by  name 
or  number.  Navy-wide  guidance  concerning  a  function 
involved  in  any  of  the  following  case  studies  is  identified. 
All  six  case  studies  were  conducted  in  the  same  manner, 
using  a  standard  format.  The  format  was  designed  by  the 
researcher  to  provide  a  consistent  approach  for  drawing 
conclusions  later.  The  basic  format  for  the  six  studies  is 
as  follows: 

(1)  Background.  This  section  describes  the  general 
working  environment  of  the  function  being  studied  to 
indicate  how  the  function  impacts  on  shipyard 
operations. 

(2)  Event  Cycle.  This  section  describes  the  systematic 
steps  involved  in  the  function  in  which  a  weakness 
was  identified. 

(3)  Finding.  This  section  describes  a  material  weakness 
discovered  by  the  line  manager  of  the  event  cycle 
being  described. 

(4)  The  Controls  Used  To  Prevent  Potential  Errors.  This 
section  describes  the  controls  the  shipyard  line 
manager  implemented  to  prevent  the  deficiency  noted 
in  a  finding. 

(5)  Compliance  Testing.  This  section  describes  the 
compliance  testing  performed  by  the  researcher  to 
determine  how  well  the  newly  implemented  internal 
controls  were  working. 
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(6)  Risk  Assessment.  This  section  describes  how  the 
researcher  evaluated  risk  in  the  event  cycle  after 
the  line  manager  implemented  the  new  internal 
controls.  Risk  is  described  by  using  two 
classifications,  inherent  risk  and  control  risk. 
Inherent  risk  measures  the  researcher's  expectation 
that  material  errors  may  exist  in  the  event  cycle 
before  considering  the  effectiveness  of  internal 
controls.  Control  risk  measures  the  researcher's 
expectation  that  material  errors  in  the  event  cycle 
will  not  be  prevented  or  detected  by  the  internal 
controls . 

(7)  Weaknesses  With  The  System  In  Place.  This  section 
describes  additional  weaknesses  discovered  by  the 
researcher  after  the  event  cycle  was  corrected  by  the 
shipyard's  line  manager. 

(8)  Management's  Commitment  Rating.  This  section 
describes  how  the  line  manager  of  the  event  cycle 
being  studied  was  rated  by  using  a  standardized 
questionnaire  (Appendix)  designed  by  this  researcher. 

2 .   Case  A--Blanket  Purchase  Agreement  Function 

a.   Background 

The  Blanket  Purchase  Agreement  Function  is  a 

Supply  Department  activity  performed  within  the  Purchase 

Division,   Code   530.     There   are   five   blanket   purchase 

agreement  agents  assigned  to  handle  350  indefinite  delivery 

contracts.   The  Naval  Shipyard  uses  this  type  of  contract 

for   approximately   40   percent   of   its   annual   purchase 

requirements.   Total  expenditures  for  shipyard  purchases  is 

approximately  $33  million  annually,  of  which  $13.2  million 

is  expended  by  using  indefinite  delivery  contracts.   Open 

purchase  requirements  are  received  from  the  Naval  Shipyard, 

Naval   Base   and  tenant   activities  to  support  a  primary 

mission  of  ship  repair  and  overhaul. 
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b.   Event  Cycle 

The  blanket  purchase  agreement  function  begins 
with  a  customer's  request  for  non-standard  material  or 
supplies.  If  the  non-standard  request  can  be  provided  by  an 
established  indefinite  delivery  contract,  the  request  is 
forwarded  to  one  of  five  blanket  purchase  agreement  agents 
for  processing.  The  agent  is  authorized  in  writing  to  place 
a  verbal  order  with  an  approved  vendor  for  the  materials 
requested.  The  blanket  purchase  agreement  agent  directs  the 
vendor  to  deliver  a  specified  quantity  to  the  customer. 
Prior  to  placing  an  verbal  or  written  order,  the  agent  is 
required  to  ensure  that  the  original  request  has  the 
critical  elements  necessary  to  authorize  the  placement  of 
that  order.  Examples  of  the  required  elements  are  proper 
technical  review,  appropriate  funding,  adequate  descriptions 
of  the  requested  items,  requisition  numbers  and  any  other 
key  elements  required  by  the  Naval  Supply  Acquisition 
Regulation  Supplement  [Ref.  28:sec.  16.5,  pp.  1-5].  The 
receipt  for  material  and  the  ultimate  payment  for  that 
material  is  done  separately  from  the  ordering  function. 
Therefore,  this  event  cycle  ends  with  the  agent's  forwarding 
of  the  order  to  the  Comptroller  for  payment.  The 
Comptroller  will  pay  the  vendor  upon  receipt  of  a 
"confirmation  of  material  receipt"  from  the  customer 
authorized  to  receive  and  accept  that  material. 
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c.  Finding 

During  a  management  control  review  in  Fiscal 
Year  1986,  the  line  manager  identified  the  fact,  that  if 
competent  personnel  were  not  functioning  as  blanket  purchase 
agreement  agents,  the  authorization  function  fulfilled  by 
this  cycle  would  be  in  jeopardy  of  failure.  Additionally, 
it  was  noted  that  agents  were  not  appointed  in  writing. 
This  control  was  designed  by  the  Director  of  the  Purchasing 
Division  to  limit  the  persons  authorized  to  place  verbal 
orders  against  indefinite  delivery  contracts.  Without  this 
control,  the  chance  of  an  unauthorized  purchase  was  greatly 
increased. 

d.  The  Controls  Used  to  Prevent  Potential  Errors 
There   were   two   controls   identified   by   the 

Director  of  the  Purchasing  Division  to  ensure  that  the 
mandatory  policies  for  contracting  described  in  the  Naval 
Supply  Acquisition  Regulation  Supplement  [Ref.  28:sec.  16.5, 
pp.  1-5]  were  met.  The  two  requirements  were  that  all 
persons  placing  verbal  orders  against  blanket  purchase 
agreements  be  appointed  in  writing  and  that  all  purchasing 
agents  will  attend  formal  Navy  training  for  contracting. 

Control  number  one  was  an  administrative  control 
to  have  one  blanket  purchase  agreement  agent  attend  the 
Naval  Supply  System's  approved  Small  Purchase  Course  and  to 
have  four  blanket  purchase  agreement  agents  attend  the  Small 
Purchase  Refresher  Course. 
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Control  number  two  was  to  authorize  all  blanket 
purchase  agreement  agents  in  writing  to  place  verbal  orders. 

e.  Compliance  Testing 

Since  the  target  date  for  implementing  the 
training  control  was  dependent  upon  the  availability  of 
training  quotas,  the  Director  of  the  Purchasing  Division  was 
waiting  for  the  quotas  to  become  available  in  July  1988. 
This  delay  prevented  the  researcher  from  performing 
compliance  tests  of  the  first  control  during  the  March  1988 
field  work.  Although  compliance  testing  for  the  first 
control  was  impossible,  an  investigation  into  the  interim 
actions  taken  by  the  line  manager  was  considered  an 
appropriate  alternative  to  evaluate  the  program's  impact.  A 
review  of  the  system  in  place  revealed  that  all  blanket 
purchase  agreement  agents  had  more  than  one  year's 
contracting  experience  and  they  all  had  been  given  local 
training  on  the  applicable  regulations.  Additionally,  all 
agents  were  routinely  supervised  by  an  appointed  Contracting 
Officer.  Compliance  testing  of  the  second  control  was 
accomplished  by  asking  the  line  manager  if  the  agents  had 
been  authorized  in  writing  to  place  verbal  orders. 

f.  Risk  Assessment 

The  inherent  risk  for  this  event  cycle  is  high 
because  the  complexity  of  purchasing  materials  from  the  open 
market  is  great.  The  requirements  to  authorize  the 
placement  of  an  order  is  a  very  detailed  process  outlined  in 
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the  Naval  Supply  Acquisition  Regulation  Supplement  [Ref.  28: 
sec.  16.5,  pp.  3-5].  This  process  is  further  complicated  by 
the  wide  variety  of  materials  requested  in  these  non- 
standard purchase  requests.  The  dollar  value  for  these 
materials  can  range  from  small  amounts  to  hundreds  and  even 
thousands  of  dollars.  Since  blanket  purchase  agreement 
agents  are  not  experts  in  all  the  applicable  areas  relating 
to  procurement  of  non-standard  material,  a  heavy  reliance  is 
placed  on  the  following  of  published  guidance.  The  control 
risk  is  considered  low  in  this  case  because  the  control  is 
only  an  administrative  control  designed  to  comply  with  the 
Navy  regulations.  The  Navy  regulation  allows  the  option  to 
have  customers  place  verbal  orders  directly  with  vendors. 
However,  the  shipyard  segregated  the  receipt  function  from 
the  ordering  function  by  having  blanket  purchase  agreement 
agents  place  all  verbal  orders. 

g.   Weaknesses  with  the  System  in  Place 

The  field  work  review  of  this  system  revealed  no 
other  potential  or  existing  weaknesses. 

h.   Management's  Commitment  Rating 

A  commitment  rating  was  given  to  the  line 
manager  based  on  the  results  of  a  standardized  interview 
(Appendix) .  All  six  line  managers  from  the  selected 
shipyard  were  interviewed  using  the  questionnaire  in  the 
Appendix.  The  interview  questionnaire  was  designed  to  ask 
questions  that  would  indicate  knowledge  of  the  Internal 
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Review  Program,  use  of  the  program,  coordination  with  other 
affected  personnel  and  attitude  toward  the  use  of  internal 
controls.  The  line  manager  responsible  for  the  blanket 
purchase  agreement  function  was  the  only  participant  to 
receive  a  score  of  100  percent.  This  means  that  he  (or  she) 
gave  what  the  researcher  regarded  as  the  "right"  answer  to 
all  of  the  31  questions  in  the  interview  questionnaire. 
3 .  Case  B — Imprest  Fund  Function 
a.   Background 

The  imprest  fund  function  is  a  Supply  Department 
activity  found  within  the  Purchasing  Division,  Code  530. 
Imprest  fund  purchasing  provides  a  simplified  and  economical 
way  to  purchase  non-standard  materials  or  supplies.  The  use 
of  this  method  was  limited  to  purchases  not  in  excess  of 
$500  per  transaction.  As  a  reimbursable  cash  fund,  the 
imprest  fund  cashier  was  authorized  to  retain  $10,000  as 
working  capital.  The  cashier  was  also  authorized  to  have  an 
alternate  cashier  who  retained  part  of  the  $10,000  to 
provide  workload  relief.  A  turnover  rate  of  3.4  times  per 
month  was  the  velocity  of  the  cash  requested  and  disbursed 
to  meet  cash  on  delivery  requests.  That  turnover  rate 
equated  to  a  dollar  volume  of  $30.4  thousand  per  month.  Of 
the  $33  million  in  annual  open  purchase  business,  the 
imprest  fund  accounted  for  about  1.0  percent. 
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b.   Event  Cycle 

For  this  case  study  two  separate  event  cycles 
were  studied.  They  were  the  order/receipt/payment  cycle  and 
the  reimbursement  cycle. 

The  order/receipt/payment  cycle  begins  with  a 
customer's  request  for  a  non-standard  type  of  material.  The 
normal  purchasing  requirements  are  performed  by  a  small 
purchase  buyer  who  reviews,  approves  and  places  the  order 
with  the  vendor.  Once  the  buyer  establishes  that  the 
appropriate  purchase  method  is  to  use  the  imprest  fund,  he 
or  she  completes  the  required  documentation  for  ordering  the 
requested  material.  This  completed  documentation  is  the 
approval  for  the  imprest  fund  cashier  to  take  one  of  two 
actions.  These  two  actions  involve  either  a  cash  advance  to 
the  customer  for  pickup  and  payment  or  an  establishment  of  a 
material  due-in  order  filed  by  delivery  due-date.  This 
allows  the  cashier  to  monitor  the  requests  for  overdue 
material  requests.  If  material  is  overdue,  the  cashier 
initiates  a  follow-up  with  the  vendor  to  determine  the 
status  of  the  expected  material  and  to  determine  if  any 
further  expediting  is  required  by  the  original  buyer  or 
customer.  If  the  material  is  overdue  for  more  than  sixty 
days,  the  order  is  returned  to  the  buyer  for  a  cancellation 
action. 

When  a  vendor  delivers  material  for  payment,  the 
delivery  can  take  place  in  one  of  three  ways.   First,  if 
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delivery  is  made  by  the  vendor  through  a  customer  pickup 
process,  the  customer  who  wants  to  pickup  the  material  has 
received  cash  from  the  imprest  fund  cashier  by  signing  a 
cash-advance  receipt.  He  then  proceeds  to  the  vendor  with 
the  cash  to  receive  and  inspect  the  requested  material.  The 
vendor  provides  a  paid  invoice  to  the  customer,  who  will 
ultimately  return  that  invoice  to  the  cashier  in  exchange 
for  a  cash-advance  receipt.  Once  this  takes  place,  the 
cycle  is  completed  for  the  first  example. 

A  second  method  for  receipt  and  payment  involves 
delivery  of  the  material  to  the  Supply  Department's 
receiving  section.  Under  this  method,  the  material  is 
received  and  inspected  at  the  shipyard.  The  receiving 
branch  acknowledges  receipt  on  the  vendor's  delivery  ticket 
and  returns  the  ticket  to  the  vendor.  The  vendor  then 
presents  the  delivery  ticket  for  payment  to  the  imprest  fund 
cashier.  At  this  point,  the  second  example  of  the  cycle  is 
completed. 

The  third  way  that  material  is  delivered  for 
payment  is  through  a  direct  material  turnover  process  to  the 
customer.  This  third  method  for  receipt  is  more  of  an 
exception  to  the  cycle  than  an  expected  norm.  Certain  items 
require  direct  turnover  due  to  their  bulk  or  expendable 
nature.  A  good  example  is  dry  ice.  Because  of  the  nature 
of  the  material,  the  vendor  delivers  the  material  directly 
to  the  customer.   However,  the  vendor  is  still  required  to 
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have  the  material  inspected  by  the  receiving  section.  This 
requires  the  vendor  to  have  an  extra  stop  in  the  delivery  of 
the  material.  The  vendor,  after  inspection,  delivers  the 
material  to  the  customer  who  signs  the  delivery  ticket, 
allowing  the  vendor  to  go  to  the  cashier  and  receive 
payment.  Documentation  received  as  part  of  a  completed 
order  becomes  part  of  a  subvoucher  that  is  retained  until 
the  imprest  fund  is  reimbursed  [Ref.  28: sec.  13.4,  p.  16]. 

A  second  cycle  involved  in  the  imprest  fund 
function  is  the  reimbursement  cycle.  This  cycle  starts  when 
the  cashier's  fund  is  expended  to  a  point  where  insufficient 
cash  is  available  to  make  any  more  cash  payments  on  delivery 
or  to  a  point  where  no  more  cash  advances  can  be  provided  to 
a  requesting  customer  using  the  direct  material  pickup 
process.  The  cashier  prepares  a  reimbursement  voucher, 
along  with  the  supporting  completed  orders,  to  be  exchanged 
for  a  check  from  the  shipyard's  Comptroller.  The  check  is 
then  cashed  at  the  local  bank.  After  receiving  the  cash, 
the  cashier  returns  the  fund  to  his  or  her  safe, 
c.   Finding 

During  the  Fiscal  Year  1986  management  control 
review,  the  functional  line  manager  recognized  one  weakness 
within  each  of  the  two  imprest  fund  cycles.  The  weakness 
attributable  to  the  order/receipt/payment  cycle  centered 
around  the  third  method  of  material  receipt.  In  those 
exceptional  cases,  material  was  not  always  being  received 
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and  inspected  before  the  cashier  made  a  payment  to  the 
vendor.  The  error  in  the  order/receipt/payment  cycle  was 
that  the  cashier  was  not  getting  adequate  documentation  for 
inspection  and  acceptance  of  material;  improper  payments 
occurred. 

The  second  weakness  occurred  in  the 
reimbursement  cycle.  It  dealt  with  the  adequate 
safeguarding  of  assets.  As  it  turned  out,  the  imprest  fund 
cashier  was  transporting  cash  over  long  distances  within  the 
shipyard  without  benefit  of  any  type  of  physical  security. 
The  risk  was  a  potential  loss  of  cash  through  theft; 
however,  no  robbery  attempts  had  ever  been  made. 

d.  The  Controls  Used  to  Prevent  Potential  Errors 
The   order/receipt/payment   cycle   control 

implemented  after  the  management  control  review  was  to 
reiterate  the  policy  that  all  material  paid  for  out  of  the 
imprest  fund  would  be  inspected  and  signed  for  by  the 
Receiving  Section  prior  to  payment. 

The  reimbursement  cycle  control  implemented  was 
to  have  shipyard  Security  escort  the  imprest  fund  cashier 
when  transporting  cash  to  prevent  theft. 

e.  Compliance  Testing 

The  alternate  imprest  fund  cashier  performed  the 
routine  duty  of  making  payments.  The  imprest  fund  cashier, 
on  the  other  hand,  acted  as  a  supervisor  who  was  expected  to 
maintain  the  larger  quantity  of  cash  and  to  monitor  the 
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alternate  cashier's  work.  When  the  implemented  control  used 
to  correct  the  weakness  in  the  order/receipt/payment  cycle 
was  checked,  the  alternate  cashier  was  still  paying  for  the 
exceptional  purchases  without  a  proper  receipt  and 
acceptance  delivery  ticket.  The  control  failed  again 
because  the  imprest  fund  cashier  was  not  checking  the 
alternate  cashier's  work.  A  control  that  would  have 
encouraged  the  alternate  cashier  and  the  imprest  fund 
cashier  to  follow  the  policy  of  paying  only  properly 
received  and  accepted  delivery  tickets  would  have  been  to 
perform  routine  spot  checks  of  both  cashiers'  work  by  the 
Assistant  to  the  Director  of  Purchasing.  As  the  imprest 
fund  cashier's  military  supervisor,  the  Assistant  to  the 
Director  of  Purchasing  is  knowledgeable  of  the  procedures 
and  has  no  access  to  cash,  receipts  or  authority  to 
authorize  the  purchase  of  materials.  If  the  policy  was 
being  violated,  the  director's  assistant  would  catch  the 
problem  in  a  more  timely  manner  and  take  action  to  stop 
further  improperly  authorized  payments  and,  perhaps,  relieve 
one  or  both  the  cashiers  of  their  responsibilities. 

When  the  implemented  control  used  to  correct  the 
reimbursement  cycle  was  checked,  the  alternate  cashier  was 
getting  a  shipyard  Security  escort  from  the  bank  back  to  her 
safe.  What  should  have  been  taking  place  was  the  alternate 
cashier  being  escorted  from  the  Imprest  Fund  safe  to  the 
Comptroller's  building,  where  a  check  was  to  be  exchanged 


86 


for  the  completed  imprest  fund  orders.  Then,  the  alternate 
cashier  was  to  be  escorted  from  the  Comptroller's  building 
to  the  bank,  where  the  check  was  to  be  exchanged  for  cash. 
Finally,  the  alternate  cashier  was  to  be  escorted  from  the 
bank  back  to  the  imprest  fund  safe.  Because  the  alternate 
cashier  was  getting  the  escort  only  from  the  bank  back  to 
the  safe,  shipyard  policy  requiring  the  escort  for  the 
entire  trip  was  being  violated. 

f.  Risk  Assessment 

The  order/receipt/payment  cycle's  inherent  risk 
is  high  because  of  the  complexity  of  the  cycle  and  the  use 
of  a  highly  pilferable  asset,  cash.  The  control  risk  is 
moderate  because  the  control  used  does  not  always  work.  The 
alternate  cashier,  in  some  cases,  allows  small  dollar  items 
that  are  for  direct  delivery  to  bypass  the  receiving 
control . 

The  reimbursement  cycle  involves  the  use  of  cash 
so  the  inherent  risk  is  high.  Control  risk  is  moderate 
because  the  weaknesses  indentified  in  the  next  section  still 
exist  even  after  the  controls  were  added  to  the 
reimbursement  cycle. 

g.  Weaknesses  with  the  System  in  Place 

In  both  cycles  physical  protection  of  assets  had 
the  potential  for  loss;  the  cashier's  office  was  openly 
accessible  by  other  departmental  personnel  and  they  also  had 
access  to  the  material  due-in  orders. 
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h.   Management's  Commitment  Rating 

Using  the  standardized  questionnaire  (Appendix) , 
the  imprest  fund  line  manager  received  a  97  percent  score. 
Program  support  was  high,  but  the  results  of  the  compliance 
testing  indicated  that  follow-up  on  corrective  actions  was 
not  effective. 

4 .   Case  C — Cash  Flow  in  the  Cafeteria  System 

a.   Background 

The  cafeteria  system  is  a  non-appropriated  fund 
activity  working  as  part  of  the  Industrial  Relations 
Organization,  which  reports  directly  to  the  shipyard 
commander.  Its  primary  function  is  to  provide  retail 
service  outlets  for  shipyard  employees'  convenience  in  the 
areas  of  shoes,  bakery  products  and  food  services.  The 
system  consists  of  eight  outlets,  including  three 
cafeterias,  one  shoe  store,  one  bake  shop  and  three 
canteens.  Annual  revenues  total  approximately  $1.5  million. 
Direct  cash  collections  through  retail  outlets  total 
approximately  $6,000  daily,  on  a  20  day  per  month  operating 
cycle.  Cash  collections  represent  96  percent  of  annual 
cafeteria  system  revenues.  Operation  of  non-appropriated 
fund  activities  is  supported  by  the  Navy  Industrial  Fund 
only  to  the  extent  to  which  those  activities  receive 
facilities  support.  All  other  operations  and  expenses  are 
paid  from  revenues  generated  within  the  retail  outlets. 
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b.   Event  Cycle 

This  cash  flow  cycle  begins  with  a  collection  agent 
who  picks  up  locked  bags  daily.  The  collections  are  made  to 
transport  the  daily  earnings  held  by  cashiers  in  various 
locations  to  the  cafeteria  office.  Each  cashier  has  an 
independently  operated  cash  register  which  utilizes 
serialized  and  metered  cash  register  tapes.  Cafeteria 
cashiers  share  two  consolidated  collection  bags,  the  three 
canteen  cashiers  use  individual  collection  bags  and  the  bake 
shop  and  the  shoe  shop  use  individual  collection  bags. 
Although  there  are  12  cashiers  there  are  only  seven 
collection  bags  for  the  collection  agent  to  collect  daily. 
In  the  consolidated  and  the  individual  collection  bags,  the 
cashiers  place  the  cash  register  tapes  and  the  individual 
original  Daily  Activity  Records,  along  with  the  cash 
generated  from  sales  in  excess  of  the  authorized  change 
funds.  Each  cashier  retains  a  copy  of  the  Daily  Activity 
Record,  which  represents  each  cashier's  accountability. 
This  copy  is  later  forwarded  to  the  manager  for  cross 
verification  and  filing. 

The  manager  of  the  cafeteria  system  has  total 
responsibility  for  the  proper  operation  of  all  accounting 
and  financial  controls  within  the  cafeteria  system.  As  part 
of  the  manager's  office  staff,  three  people  are  involved  in 
the  cash  flow  process.  Those  persons  are  an  assistant 
manager,  a  collection  agent  and  a  secretary.   The  assistant 
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manager  is  responsible  for  accounting,  the  secretary 
prepares  the  daily  deposits  and  the  collection  agent 
collects  cash  receipts  and  also  handles  the  office  telephone 
and  food  ordering  duties.  The  collection  agent  has  no 
access  to  the  contents  of  the  locked  bags.  They  are  given 
to  the  office  secretary,  who  validates  the  receipts, 
prepares  the  daily  deposit,  and  prepares  a  daily  cash  report 
summary  in  two  copies.  One  copy  is  forwarded  to  the  manager 
and  one  copy  is  given  to  the  assistant  manager  for  posting 
journal  entries.  The  secretary  places  the  deposit  in  a 
locked  bag,  which  is  given  to  the  assistant  manager  for 
delivery  to  the  bank.  The  assistant  manager  does  not  have 
access  to  the  contents  of  any  locked  bag.  The  bank  returns 
the  deposit  slip  via  mail  to  the  manager.  Periodic 
reconciliation  is  made  by  the  manager,  using  the  original 
Daily  Activity  Reports,  deposits  and  daily  summaries.  Each 
person  who  has  access  to  cash  has  one  or  more  independent 
checks  of  their  work  performed, 
c.   Finding 

During  the  management  control  review  in  Fiscal 
Year  1986,  the  line  manager  identified  two  weaknesses. 
First,  all  funds  and  cash  were  not  verified  daily  and, 
secondly,  cashiers  were  aware  of  the  time  and  place  when 
their  change  funds  were  to  be  audited.  The  potential 
problem  resulting  from  not  completely  verifying  cash 
collections  daily  was  that,  if  the  secretary  did  not  feel 
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like  prelisting  all  the  receipts  on  the  daily  cash  report 
summary,  she  could  hold  one  of  the  lock  bags  in  her  safe 
overnight  and  make  the  entries  on  the  following  day.  This 
practice  could  cause  two  discripancies.  First,  the  audit 
trail  tracing  the  complete  days  sales  receipts  from  the 
deposit  slips  would  not  match  an  audit  made  by  the  manager 
when  adding  the  individual  daily  activity  records  forwarded 
from  the  cashiers.  This  would  make  tracing  cash  difficult. 
Also  the  activity's  accounting  records  would  not  show  the 
true  sales  on  the  day  on  which  they  occurred.  The  second 
problem  caused  by  the  secretary  holding  cash  overnight  was 
that  the  potential  existed  for  her  to  use  that  cash  for 
personal  purposes.  This  could  be  done  by  always  leaving  one 
day's  collection  out  to  be  posted  later.  With  regard  to 
the  second  weakness  noted,  cashiers  knowing  the  time  and 
place  of  change  fund  audits  allowed  for  the  possibility  that 
dishonest  people  could  use  the  change  fund  for  personal 
business  until  they  could  return  it  to  the  cash  register, 
d.   Controls  Used  to  Prevent  Potential  Errors 

As  a  result  of  the  management  control  review, 
the  line  manager  developed  two  controls  to  eliminate  the 
potential  errors  identified  in  the  preceding  section.  The 
first  control  was  designed  to  prevent  the  destruction  of  an 
audit  trail.  The  assistant  manager  performed  daily  spot 
checks  of  the  secretary's  cash  verifications  to  ensure  that 
all  cash  collection  bags  were  included  in  the  daily  deposit. 


91 


To  eliminate  the  cashier's  knowledge  of  when  a  change  fund 
was  to  be  audited,  the  assistant  manager  conducted  random 
audits  requested  by  the  manager  on  short  notice. 

e.  Compliance  Testing 

A  review  of  this  cycle  by  on  site  observation  of 
the  process  revealed  all  controls  were  in  place  and 
operating  as  designed.  The  two  new  controls  were  also 
operating  and  were  verified  by  questioning  the  responsible 
persons  involved  in  the  cycle. 

f.  Risk  Assessment 

The  inherent  risk  in  this  cycle  is  high  because 
of  the  large  number  of  cashiers  and  the  extensive  use  of 
cash.  Control  risk  is  low  because  controls  are  in  place  to 
prevent  theft.  No  one  person  or  even  one  pair  of  persons 
controls  the  collection  process.  This  makes  theft  without 
collusion  quite  difficult. 

g.  Weaknesses  with  the  System  in  Place 

During  the  compliance  testing  phase,  one 
additional  weakness  was  noted  and  discussed  with  the  line 
manager.  The  potential  weakness  dealt  with  the  fact  that 
neither  the  assistant  manager  nor  the  manager  documented  the 
performance  of  the  surprise  change  fund  audits.  Without 
some  sort  of  documentation  proving  the  control  was  in  place, 
the  manager  could  not  verify  which  cashiers  had  undergone 
surprise  verification  or  if  all  cashiers  were  routinely 
included  for  surprise  verification.   It  was  still  possible 
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for  some  cashiers  to  assume  they  may  never  be  audited,  if 

they  were  missed  routinely  through  oversight  by  the  manager. 

h.   Management's  Commitment  Rating 

Based   on   the   standardized   questionnaire 

(Appendix)  the  line  manager  for  this  cash  flow  cycle  was 

rated  at   97   percent.     The  tight  controls  and  working 

implementation  noted  during  the  compliance  testing  were 

consistent  with  the  attainment  of  that  score. 

5 .   Case  D — The  Automated  Data  Processing  Security 
Function 

a.   Background 

Automated   data   processing   security   function 

includes   all   the   measures   required   to   protect   against 

unauthorized  disclosure,  modification,  destruction  or  access 

to  Automated  Data  Processing  (ADP)  systems  and  data.   Within 

the  shipyard,  Navy  Industrial  Fund  Accounting  is  performed 

on  ADP  systems.   The  value  of  dollar  transactions  processed 

on  those  ADP  systems  is  $500  million  annually.   In  addition 

to  the  accounting  consideration,   shipyard  ADP  processes 

three   levels   of   information.     Level   one   is  classified 

information,   level  two  is  information  not  available  for 

public  or  foreign  access,  and  level  three  is  all  other 

information.   In  order  to  provide  adequate  control  over  ADP 

systems  and  data,  the  shipyard  has  an  ADP  Security  Officer 

who  acts  as  the  shipyard  commander's  expert  for  these 

matters.    The  shipyard  was  using  one  main-frame  computer, 

eight  mini-computers  and  hundreds  of  micro-computers  with 

93 


possible  modem  access  to  the  mainframe.  To  provide  adequate 
security  control,  39  ADP  Systems  Security  Officers,  four 
Terminal  Area  Security  Officers,  two  Office  Information 
Security  Officers  and  two  Network  Security  Officers  report 
to  the  shipyard's  ADP  Security  Officer.  The  system  is  large 
and  expanding. 

b.  Event  Cycle 

There  were  ten  different  event  cycles  assigned 
to  the  ADP  Security  Officer  within  the  shipyard's  ADP 
instruction.  The  one  identified  for  management  control 
review  dealt  with  the  ADP  equipment  acquisition  process. 
When  a  customer,  usually  a  line  manager,  desires  acquisition 
of  ADP  equipment,  he  or  she  submits  an  18-point  justifica- 
tion to  Code  149,  the  Planning/Project  Management  Division 
Head  for  authorization  to  initiate  a  procurement  action. 
The  approval  and  purchase  request  are  then  forwarded  to  code 
530,  the  shipyard's  Purchasing  Division,  where  the 
procurement  is  started.  Upon  receipt  of  the  material, 
Supply's  Receiving  Section  turns  the  equipment  over  to  the 
originator  of  the  purchase  request.  The  cycle  is  designed 
to  provide  a  centralized  authorization  point  for  shipyard 
ADP  procurement  in  order  to  maintain  control  over  assets  and 
their  applications. 

c.  Finding 

During  the  management  control  review  conducted 
in  Fiscal  Year  1986,  it  was  discovered  that  ADP  equipment 
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had  been  purchased  for  use  on  classified  data,  for  which  the 
level  of  control  was  insufficient.  Line  managers  were 
requesting  ADP  equipment  and  Supply's  Purchasing  Agents  were 
buying  ADP  equipment  that  was  not  adequately  secured  to 
process  classified  information.  Thus,  the  possibility 
existed  that,  once  the  ADP  equipment  was  purchased, 
expensive  retro-fit  would  be  required  to  protect  the 
classified  material  against  unauthorized  access. 

d.  The  Controls  Used  to  Prevent  Potential  Errors 
The  control  used  to  correct  the  potential  error 

for  purchasing  inappropriate  ADP  equipment  was  to  provide  a 
written  security  plan,  along  with  the  18-point  justifica- 
tion, that  identified  the  types  of  data  and  uses  expected 
for  the  equipment  being  requested.  The  ADP  Security  Officer 
ensures  that  the  equipment  requested  is  appropriate  for  the 
level  of  data  being  processed  on  that  machine  before  any 
procurement  action  can  be  taken. 

e.  Compliance  Testing 

Review  of  the  cycle  and  the  control  in  place 
indicated  that  the  new  control  was  working.  Observation  and 
interviews  confirmed  that  an  inappropriate  procurement  was 
not  being  forwarded  to  Supply.  Documentation  was  on  file 
for  all  requests  that  had  been  made  since  the  control  was 
implemented. 
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f.  Risk  Assessment 

Inherent  risk  is  high,  considering  the  decentra- 
lized use  of  ADP  eguipment  and  the  levels  of  information 
processed  on  those  assets.  Control  risk  is  moderate 
because,  even  with  the  new  control  in  place,  there  is  still 
the  possibility  that  the  ADP  collateral  duty  security 
officers  are  not  being  notified  that  new  eguipment  has  been 
added  to  their  areas  of  responsibility.  This  additional 
weakness  is  discussed  in  the  next  section. 

g.  Weaknesses  with  the  System  in  Place 

One  weakness  was  noted  in  the  system.  The  new 
control  was  designed  to  provide  a  centralized  authorization 
and  control  over  ADP  procurement.  However,  after  the  ADP 
eguipment  was  received  by  Supply,  the  material  was  turned 
over  to  the  originator  of  the  purchase  reguest.  No 
notification  was  sent  to  the  approving  authority,  Code  149, 
that  the  eguipment  was  added  to  shipyard  assets.  The  ADP 
Security  Officer  had  to  depend  upon  the  originator  of  the 
reguest  informing  the  supporting  ADP  collateral-duty 
security  officers  that  their  area  of  control  had  been 
expanded. 

h.   Management's  Commitment  Rating 

Based  on  the  standardized  guestionnaire 
(Appendix) ,  this  line  manager  scored  44  percent.  The 
internal  control  program  did  not  appear  to  be  an  effective 
tool  for  this  line  manager. 
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Because  this  line  manager  scored  so  poorly  on 
the  standardized  questionnaire,  the  researcher  interviewed 
him  further  to  understand  why  the  responses  were  so 
different  from  those  received  from  the  other  five  line 
managers  interviewed.  As  explained  in  detail  by  this  line 
manager,  he  believed  that  in  the  beginning  the  internal 
control  program  was  a  way  to  make  permanent  changes.  He  had 
been  disappointed  to  find  that  overall  shipyard  policy 
concerning  his  areas  did  not  change  because  of  the 
weaknesses  he  identified  during  the  vulnerability 
assessments.  Almost  all  of  the  areas  that  he  had  assessed 
were  originally  evaluated  as  being  high  in  their  exposure  to 
risk.  When  his  assessments  were  forwarded  to  his  department 
head,  he  was  required  to  reassess  the  ratings  and  provide 
more  detailed  justifications  as  to  the  potential  problems  or 
errors.  He  was  firm  in  his  belief  that  his  original 
assessments  were  correct  and  refused  to  make  the  requested 
changes  or  to  provide  the  additional  detail  outlining 
specific  weaknesses.  Eventually,  he  was  required  to  lower 
his  assessments  because  of  not  providing  more  specific 
details.  He  stated  that,  from  that  point  on,  he  would 
provide  only  the  inputs  for  the  internal  control  program 
specifically  requested  by  the  Internal  Control  Program 
Coordinator. 

The  researcher  went  further  to  ask  the  Director 
of   Internal   Review   and   the   Internal   Control   Program 
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Coordinator  if  they  believed  this  line  manager  was  unfairly 
treated  by  his  department  head.  They  both  confirmed  that 
this  line  manager  was  known  to  be  overly  zealous  about  the 
potential  risks  and  very  vague  in  providing  facts  or 
recommending  possible  corrective  solutions.  They  attributed 
these  problems  to  that  manager's  poor  health,  which  had 
necessitated  an  involuntary  job  reassignment  and  induced  his 
superiors  to  make  allowances  for  his  opinions.  Without 
detailed  weaknesses  or  corrective  actions  supplied  by  the 
ADP  Security  Officer,  the  department  head  of  this  area  had 
no  choice  but  to  lower  the  assessments.  The  researcher 
believes  that  the  44  percent  score  received  by  this  line 
manager  is  more  attributable  to  the  line  manager's  attitude 
than  actual  lack  of  knowledge  about  the  program. 

The  corrective  action  in  this  case  fixed  only 
part  of  the  entire  cycle.  Upon  review,  in  nine  other  areas 
not  studied  in  detail  here,  this  line  manager  failed  to  meet 
any  other  target  dates  for  making  changes  to  weaknesses 
identified  during  the  Fiscal  Year  1986  management  control 
reviews. 

6 .   Case  E — Material  Control  in  Shop  07 
a.   Background 

Shop  07  is  one  of  three  facilities  support  shops 
within  the  shipyard's  Public  Works  Department.  This  shop 
has  an  annual  budget  of  $12  million,  which  represents  three 
percent  of  the  entire  shipyard's  budget.   Shop  07  employs 
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pipe-fitters,  machinists,  equipment  operators,  carpenters, 
masons,  painters,  electricians  and  at  least  seven  other 
types  of  tradesmen.  Shop  07' s  mission  is  to  support  the 
maintenance  and  repair  of  all  buildings  and  mechanical 
distribution  systems.  In  order  to  perform  this  ongoing 
maintenance  effort,  Shop  07  utilizes  a  material  warehouse, 
tool  room  and  key  shop.  All  of  these  areas  contain 
expensive  and  highly  pilferable  materials.  The  warehouse 
alone  protects  inventory  that  is  valued  at  nearly  $500 
thousand. 

b.   Event  Cycle 

Material  control  is  the  event  cycle  recognized 
as  the  most  vulnerable  within  Shop  07.  It  starts  with 
material  receipt  by  a  custodian  who  places  the  material  on 
his  inventory.  Breakouts  of  the  materials  from  the 
warehouse,  tool  room  or  key  shop  are  done  by  presenting  the 
appropriate  requisitioning  paperwork  to  the  responsible 
custodian.  Each  of  the  above  three  activities  has  its  own 
independent  custodian,  since  each  activity  requires  daily 
operation  and  access.  The  custodian  issues  the  material  and 
makes  the  requestor  acknowledge  receipt  of  the  material  or 
tools  in  writing.  This  documentation  is  then  used  to  reduce 
the  on-hand  balance  of  the  inventory.  In  case  of  tools, 
when  the  requesting  worker  returns  the  tool  the 
documentation  is  returned  to  the  worker  and  the  custodian 
increases  his  inventory.   For  the  key  shop,  the  emphasis  of 
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the  cycle  is  to  control  physical  access  to  equipment  that 
would  allow  the  making  of  unauthorized  keys.  After  hours 
issues  are  controlled  by  computerized  locking  systems. 

c.  Finding 

During  the  Fiscal  Year  1986  management  control 
review,  the  line  manager  recognized  that  two  weaknesses 
required  correcting.  First  the  warehouses  fire  control 
sprinkler  system  had  no  backup  water  shut-off  capability. 
The  potential  error  here  was  the  unnecessary  accidental 
exposure  of  material  stored  in  the  warehouse  to  water  damage 
caused  by  the  sprinkler  systems  failure.  Failures  were 
possible  because  of  corrosion,  water  surges  and  earthquakes. 
The  second  weakness  focused  on  warehouse,  tool  room  and  key 
shop  access  after  the  responsible  custodian  was  gone  for  the 
day.  Emergency  issues  were  not  tightly  controlled  after 
normal  working  hours.  Accountability  could  never  be 
completely  established  when  emergency  issues  required  that 
numerous  keys  be  distributed  to  many  foreman.  This  policy 
contributed  to  a  situation  that  could  encourage  the 
custodian  to  make  an  unauthorized  issue,  because  the 
unrecorded  issue  could  always  be  blamed  on  an  emergency 
issue. 

d.  Controls  Used  to  Prevent  Potential  Errors 

Two  controls  were  implemented  to  eliminate  the 
weaknesses  identified  during  the  management  control  review 
process.   The  first  control  was  to  place  an  external  water 
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shut  off  valve  on  the  warehouse  sprinkler  system  for 
protection.  The  second  control  addressed  the  issue  of 
emergency  access  to  the  warehouse,  tool  room  and  key-shop. 
Computerized  locks  were  installed.  This  new  locking  system 
electronically  recorded  all  accesses  made  to  the  controlled 
areas.  It  employed  the  use  of  serialized  keys  that  were 
assigned  in  writing  to  the  various  shop  foreman  and 
custodians.  If  entry  to  a  controlled  space  was  made  at 
anytime,  the  date,  time  and  person  entering  were  recorded  by 
the  computer.  Daily  the  shop  superintendent  was  given  one 
of  two  copies  of  the  entries  recorded  on  the  previous  day  or 
weekend.  Personnel  making  emergency  issues  were  tracked 
down  and  the  appropriate  documentation  was  forwarded  to  the 
custodian  to  reduce  his  accountability.  The  custodian  got 
one  of  the  two  entry  printouts  to  alert  him  that  emergency 
issues  were  made.  He  could  then  follow  up  on  the  missing 
paperwork  and  take  a  spot  inventory. 

e.  Compliance  Testing 

Through  observation  and  inquiry  of  the  line 
manager  and  his  organization,  the  previously  identified 
controls  were  found  to  be  in  place  and  working  as  designed. 
The  internal  control  program  worked  in  this  case. 

f.  Risk  Assessment 

Inherent  risk  within  the  material  control  system 
is  high  because  of  the  large  numbers  of  personnel  requiring 
after  hours  access  to  warehoused  materials  and  tools.   Also, 
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the  assets  within  those  two  areas  of  control  are  highly 
pilferable  items.  Control  risk  is  low  because  the  cycle  is 
simple  and  direct. 

g.   Weaknesses  with  the  System  in  Place 

The  only  weakness  noted  with  the  new  controls  in 
place  was  that  the  external  shut  off  valve  is  not  an 
automatic  system.  The  potential  for  damage  was  reduced  but 
not  eliminated.  However,  the  cost  for  a  completely 
automated  water  shut-off  system  was  felt  to  be  uneconomical 
by  the  Public  Works  Officer,  and  funding  was  not  available. 

h.   Management's  Commitment  Rating 

The  line  manager  in  this  case  was  interviewed 
using  the  standardized  interview  (Appendix)  and  received  a 
score  of  88  percent.  The  program  for  this  manager  was 
working  and  being  utilized  in  a  similar  but  different  format 
on  a  daily  basis.  This  alternate  format  was  called  the 
"Error  Cause  Removal/Corrective  Action"  (ECR/CA)  program. 
The  ECR/CA  program  is  based  upon  the  premise  that  each 
employee  executes  a  mini-management  control  review.  When 
potential  problems  exist,  the  individual  employees  are 
requested  to  identify  the  problem  and  recommend  corrective 
actions  they  feel  will  correct  the  problem.  The  shop 
superintendent  reviews  the  recommendation  and,  if  the  new 
control  is  determined  to  be  a  viable  solution,  he  gives  it 
his  full  support  for  implementation. 


102 


7 .   Case  F — Shop  67  Tool  Control 

a .  Background 

Shop  67  is  one  of  16  production  shops  within  the 
Naval  Shipyard.  It  is  responsible  for  weapon  systems 
electronic  support.  There  were  approximately  350  employees 
that  use  tools  and  electronic  test  equipment  on  a  daily 
basis.  Shop  67  represents  5  percent  of  the  shipyard's 
annual  budget,  with  an  $18.5  million  expenditure  in  support 
of  the  repair  and  overhaul  mission.  Tools  are  essential  in 
all  production  shops  and  this  function  has  been  a  continuing 
problem  for  management.  The  Naval  Audit  Service  has 
routinely  found  problems  with  the  tool  control  function  in 
all  shipyards.  In  this  case,  management  of  tools  is 
examined  because  it  is  a  representative  function  common  to 
all  shipyard  production  shops. 

b.  Event  Cycle 

Shop  67  tool  control  management  begins  with  a 
worker's  need  for  a  tool  or  tools.  He  proceeds  to  the 
central  tool  room  where  he  draws  the  required  tool  or  tools. 
The  central  tool  room  custodian  records  the  tool,  the  date 
drawn,  the  person  drawing  the  tool,  his  shop  and  other 
applicable  data  necessary  to  track  the  tool.  Central  tool 
room  issues  are  recorded  by  a  computerized  system.  After 
the  tool  is  issued,  the  worker  is  given  a  due  date  when  the 
tool  should  be  returned  to  the  central  tool  room.  The 
interaction  between  the  worker,   the  tool  room  and  shop 
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management  is  performed  by  computerized  reports  and 
delinquency  cards  forwarded  to  Shop  67.  Shop  67  '  s 
management  is  then  responsible  to  utilize  these  reports  to 
aid  the  shipyard's  overall  management  and  control  of  the 
tool  function.  Shipyard  instructions  direct  the  shop 
superintendents  to  coordinate  with  Code  906,  the  Central 
Tool  Shop  Superintendent  and  to  designate  a  shop  tool 
coordinator.  His  responsibility  is  to  monitor  delinquent 
and  missing  tool  reports  and  initiate  follow-up  actions. 

Shop  67 's  management  cycle  starts  with  the  shop 
tool  coordinator.  He  receives  four  documents  to  aid 
control:  a  Delinquent  Tools  Listing,  Delinquent  Tool  Cards, 
a  Tools  Due  in  30  days  Listing  and  a  Missing  Tools  Report. 
The  shop  tool  coordinator  sends  Delinquent  Tool  Cards  to  the 
worker's  supervisor.  The  supervisor  takes  the  appropriate 
action  to  motivate  the  worker  to  return  the  tool  to  the 
Central  Tool  Room.  The  worker  is  required  to  return  the 
tool  and  then  provide  proof  to  his  supervisor  in  the  form  of 
a  returned  custody  chit  or  a  delinquency  card  stamped 
"returned"  by  the  Central  Tool  Room.  The  supervisor 
initials  the  card  and  returns  it  to  the  shop  tool 
coordinator,  who  monitors  the  return  process. 

The  shop  tool  coordinator  monitors  the  process 
by  using  one  listing,  three  reports,  and  one  supervisor's 
notice.  The  delinquency  card  return  rate  is  monitored  by 
using  the  delinquency  listing  as  a  cross  check  to  track 
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delinquency  cards  issued  and  returned.  Next,  the  shop  tool 
coordinator  uses  three  Shop  67  reports  to  evaluate  the 
process  of  the  overall  tool  control  program.  These  reports 
are  a  Summary  of  Administrative  Actions  and  Lost  Report,  a 
Lost  Tools  Report  and  a  Monthly  Delinquent  Tool  Report. 
Finally,  the  shop  tool  coordinator  issues  a  Supervisors 
Delinquent  Tool  Notice  that  highlights  which  supervisors 
have  problems  managing  tool  control  actions.  Using  the 
notice  and  the  delinquency  listings,  the  shop  tool 
coordinator  initiates  actions  for  the  shop  superintendent  to 
have  the  supervisors  reprimand  formally  or  informally 
workers  abusing  the  system.  Stronger  actions  can  also  be 
taken  to  collect  money  for  loss  of  tools  due  to  negligence 
or  theft.  All  tool  losses  are  eventually  charged  to  the 
shop's  overhead,  but  supervisors  cannot  approve  losses  in 
excess  of  $50.  All  losses  greater  than  $50  are  approved  by 
the  shop  superintendent  before  they  are  charged  to  overhead. 
An  additional  part  of  Shop  67' s  tool  control  cycle  is  the 
placement  of  all  shop-owned  tools  in  the  central  tool  room 
for  issue  and  tracking.  Shop-owned  tools  are  not  available 
for  issue  to  other  shipyard  shops, 
c.   Finding 

During  the  Fiscal  Year  1986  management  control 
review,  the  line  manager  recognized  that  delinquent  shop- 
owned  tools  were  not  being  controlled  and  were  causing 
critical  jobs  to  be  delayed  because  of  lost  or  missing 
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specialized  tools.  The  potential  problems  were  theft  and 
lost  time  in  repair  of  critical  electronic  systems. 

d.  The  Controls  Used  to  Prevent  Potential  Errors 
There    were  two  controls  implemented  to  help 

track  shop-owned  tools.  First,  all  shop  tools  were 
inventoried  and  turned  into  the  Central  Tool  Room  for  issue 
and  control  through  the  computerized  system.  Second,  all 
shop  owned  tools  were  placed  on  reserve  for  Shop  67  's  use 
only. 

e.  Compliance  Testing 

Observation  of  the  system  and  review  of  the  shop 
tool  coordinator's  Delinquent  Tools  Listing,  Summary  of 
Administrative  Actions  and  Lost  Report,  Lost  Tools  Report, 
and  the  Supervisors  Delinquent  Tool  Notice  indicated  the 
controls  were  in  place.  The  internal  control  program  worked 
well  in  this  case.  Missing  and  delinquent  tools  dropped  18 
percent  between  January  and  February  1988. 

f.  Risk  Assessment 

The  inherent  risk  is  very  high  because  of  the 
decentralized  use  of  tools  and  enforcement  through  large 
numbers  of  supervisors.  Tools  are  often  pilfered  and  this 
compounds  the  problems  faced  in  controlling  tools.  Control 
risk  is  high  because  most  controls  center  in  the  Central 
Tool  Room,  and  these  procedures  do  not  extend  past  the 
assignment  of  custody  to  the  requesting  worker. 
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g.   Weaknesses  with  the  System  in  Place 

There  were  no  other  weaknesses  noted  with  the 
controls  in  place. 

h.   Management's  Commitment  Rating 

Based  on  a  standardized  questionnaire  (Appendix) 
this  line  manager  received  a  score  of  85  percent.  Many  of 
the  controls  in  the  overall  shipyard  system  were  initiated 
as  recently  as  the  past  three  years.  Shipyard-wide 
commitment  for  this  area  was  reflected  in  Shop  67' s  intense 
management  of  tools.  Costs  are  controlled  tightly  and 
losses  are  charged  to  the  Shop's  overhead.  Considering  the 
environment  and  attitude  of  the  persons  observed  within  Shop 
67' s  tool  control  function,  support  for  the  use  of  internal 
controls  was  outstanding  in  Shop  67. 
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VII.   CONCLUSIONS  AND  RECOMMENDATIONS 

A.  SUMMARY 

The  purpose  of  this  thesis  was  to  determine  if  the 
internal  control  program  caused  line  managers  to  improve 
their  organization's  event  cycles;  to  determine  under  what 
circumstances  internal  controls  were  used  to  make 
improvements;  and  to  determine  if  the  controls  used  made  a 
lasting  difference. 

This  thesis  began  with  a  general  discussion  of  what 
internal  controls  do,  when  they  are  applied,  and  how  they 
are  tested.  That  discussion  provided  a  general  background 
for  the  remainder  of  the  study.  Next  the  history  of 
internal  controls  in  the  Federal  Government,  the  Department 
of  the  Navy  and  one  shipyard  were  provided  to  trace  the 
evolution  of  an  internal  control  program.  Included  within 
the  historical  review  were  requirements  for  an  internal 
control  program  and  the  internal  control  process.  In 
conclusion,  the  study  focused  on  interviews,  program 
compliance  and  case  studies  to  evaluate  the  implementation 
and  execution  of  the  internal  control  process  five  years 
after  passage  of  FMFIA. 

B.  CONCLUSIONS 

There  are  five  conclusions  drawn  from  this  study. 
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1.  The  Navy's  and  the  shipyard's  internal  control 
programs  have  continually  improved  since  the  passage  of 
FMFIA.  This  conclusion  is  based  on  two  things,  a  documented 
history  of  improvements  since  1983  and  the  examination  of 
one  shipyard's  internal  control  program.  Having  started 
with  a  simple  one  page  certification  of  whether  the 
shipyard's  internal  control  systems  meet  the  requirements  of 
FMFIA,  the  shipyard  is  now  maintaining  extensive  records  of 
vulnerability  assessments,  management  control  reviews  and 
certifications.  The  certification,  supported  by  this 
additional  information,  comes  closer  to  reflecting  the  true 
status  of  the  internal  control  systems  used  within  the 
shipyard.  NAVAUDSVC  audit  reports  covering  the  use  of 
internal  controls  also  reflect  that  Navy-wide  there  has  been 
a  steady  improvement  since  the  passage  of  FMFIA. 

2.  The  internal  control  process  worked  best  on  small 
and  well  defined  event  cycles  where  responsibility  was 
clearly  identified.  This  conclusion  is  based  on  the 
interview  with  the  Director  of  Internal  Review  and  the 
researcher's  ability  to  find  documented  cases  where  only 
small  and  well  defined  event  cycles  were  corrected  by  using 
the  internal  control  process.  Recall  that  the  Director  of 
Internal  Review  stated  upper  level  management,  at  the 
present,  was  unable  to  commit  the  personnel  that  are 
necessary  to  address  large  complex  event  cycles.  He  based 
his  comments  on  the  knowledge  that  the  production  mission 
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consumed  most  of  the  available  manpower.  The  researcher 
reviewed  all  retained  documents  concerning  the  shipyard's 
internal  control  program.  There  were  no  cases  where 
management  control  reviews  were  conducted  on  an  event  cycle 
that  extended  beyond  one  manager's  scope  of  authority. 
Where  management  control  reviews  were  performed  by  two 
separate  managers  on  similar  event  cycles,  corrective 
actions  taken  by  one  manager  were  independent  of  the  other 
manager's  efforts. 

3.  The  quality  of  the  information  used  to  certify  that 
the  shipyard's  internal  control  systems  comply  with  the 
requirements  of  FMFIA  is  heavily  dependent  upon  the 
voluntary  cooperation  of  line  managers.  The  questionable 
reliability  of  that  input  is  the  extensive  paperwork 
associated  with  the  internal  control  process.  The  Internal 
Control  Program  Coordinator's  strong  dependence  on  the 
cooperation  of  line  managers  results  from  his  lack  of 
resources  to  thoroughly  audit  all  the  event  cycles  involved 
in  the  internal  control  program.  The  program,  during  the 
last  update  of  vulnerability  assessment  inventories, 
resulted  in  over  238  different  assessable  units.  The 
expertise  necessary  to  evaluate  that  many  different 
assessable  units  and  their  possible  resulting  management 
control  reviews  is  beyond  the  limited  resources  of  the 
internal  review  staff  or  the  Internal  Control  Program 
Coordinator.   Therefore,  the  coordinator  has  to  rely  on  the 
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input  provided  by  line  managers.  However,  a  factor  that 
impacts  on  the  quantity  and  quality  of  that  input  is  the 
extensive  paperwork  required  by  the  internal  control 
program.  Recall  that  the  Director  of  Internal  Review,  the 
Internal  Control  Program  Coordinator  and  the  line  managers 
all  stated  that  one  of  their  biggest  problems  with  the 
program  was  that  it  required  too  much  paperwork.  Also 
recall  that  line  managers  were  not  given  additional 
personnel  resources  to  conduct  the  internal  review  process. 
So,  with  the  manpower  remaining  constant  and  the  workload 
increasing,  the  line  manager  is  forced  to  make  a  decision  to 
concentrate  on  completing  the  detailed  paperwork  or  to 
concentrate  on  conducting  the  vulnerability  assessments  and 
management  control  reviews. 

4.  The  shipyard's  internal  control  program  improved 
after  responsibility  for  the  program  was  given  to  a 
department  head  who  was  permitted  to  hire  an  internal 
control  coordinator.  Prior  to  1986,  the  internal  control 
program  was  performed  on  a  collateral-duty  basis  within  the 
Management  Engineering  Branch.  Documentation  was 
nonexistent,  management  control  reviews  and  vulnerability 
assessments  were  conducted  by  untrained  personnel, 
certifications  of  the  shipyard's  internal  control  systems 
compliance  with  the  requirements  of  FMFIA  were  made  without 
comprehensive  supporting  information  and  follow-up  on  the 
program's   results   was   not   performed.     After   NAVSEA's 
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Internal  Control  Coordinator  reviewed  the  shipyard's 
internal  control  program  in  1986,  a  recommenda-tion  was  made 
to  reassign  responsibility  for  the  program  to  the  Director 
of  Internal  Review.  Once  the  shipyard  commander  made  the 
change,  the  Director  of  Internal  Review  hired  a  full  time 
Internal  Control  Program  Coordinator.  The  coordinator 
caused  all  deficiencies,  with  the  exception  of  an  aggressive 
follow-up  program,  to  be  corrected.  The  coordinator  does 
perform  overall  program  review  with  the  assistance  of  the 
internal  review  staff.  Review  is  not  the  same  as  aggressive 
follow-up,  however. 

5.  Aggressive  follow-up  on  actions  started,  in  progress 
and  completed  remains  a  problem  for  management.  This 
conclusion  is  substantiated  in  all  three  NAVAUDSVC  audit 
reports  conducted  Navy-wide  since  the  program's  start.  From 
the  field  work,  this  researcher  found  cases  where  target 
dates  for  management  control  reviews  were  missed  and  found 
cases  were  internal  controls  were  ineffective  because  line 
managers  failed  to  follow-up  on  the  controls  they 
implemented.  As  already  stated,  the  internal  review  staff 
and  the  Internal  Control  Program  Coordinator  were  performing 
program  review.  A  separate  quality  assurance  effort  is  a 
mandatory  requirement  for  all  levels  of  the  shipyard's 
management  by  NAVSEA  Instruction  5200.13  [Ref.  22],  and  the 
aggressive  follow-up  is  supposed  to  be  a  part  of  that 
effort. 
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C.   RECOMMENDATIONS 

The  existence  of  an  internal  control  process  is  assured 
as  long  as  FMFIA  remains  the  law.  However,  there  remains 
the  need  to  make  the  internal  control  process  part  of  a 
manager's  routine  and  not  just  a  special  evolution.  The 
recommendations  that  follow  are  based  on  this  researcher's 
experience  from  this  study. 

1.  Since  aggressive  follow-up  through  the  use  of 
quality  assurance  checks  continues  to  be  a  problem,  the 
shipyard  should  develop  a  compliance  testing  schedule.  It 
should  be  executed  by  the  departmental  internal  control 
coordinators.  The  schedule  should  include  all  event  cycles 
that  implemented  internal  controls  during  the  previous 
year's  management  control  reviews.  Results  should  be  given 
to  the  line  managers  and  the  Internal  Control  Program 
Coordinator.  Where  controls  fail  to  work,  event  cycles 
should  be  included  for  another  management  control  review. 
To  ensure  that  the  departmental  coordinators  perform  their 
jobs,  the  internal  review  staff  should  perform  surprise 
audits  to  see  if  the  coordinators  are  complying  with  the 
follow-up  program. 

2 .  The  internal  control  program  should  be  encouraged  by 
coupling  it  with  an  incentive  system.  In  the  Navy,  there  is 
a  beneficial  suggestion  program  that  pays  federal  employees 
for  suggesting  changes  that  save  money.   An  attempt  should 
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be  made  by  the  shipyard  management  to  tie  the  internal 
control  process  to  the  beneficial  suggestion  program. 

3 .  The  shipyard  commander  should  appoint  a  committee  to 
identify  large  and  complex  event  cycles  that  need  to  be 
corrected  by  using  the  internal  control  process.  The 
committee  would  assign  personnel  to  a  task  force  that  would 
conduct  a  coordinated  management  control  review.  By  using  a 
task  force,  no  one  manager  would  be  made  to  accept  the 
entire  burden  for  making  changes.  The  workload  could  be 
coordinated  to  identify  a  specific  control  objective  that 
meets  the  needs  of  all  managers,  and  necessary  internal 
controls  could  be  developed  to  meet  that  common  objective. 

4.  Training  needs  to  be  expanded  throughout  all  levels 
of  supervision  within  the  shipyard.  Currently,  training  is 
provided  only  to  departmental  internal  control  coordinators. 
The  line  managers  train  themselves  by  using  SECDEF's 
Internal  Control  Course  [Ref .  5] .  If  management  is  to  use 
the  internal  control  process  as  a  matter  of  routine,  all 
personnel  involved  in  the  system  need  to  have  an  idea  of 
how,  when  and  where  internal  controls  are  used.  Just  as  the 
Navy  requires  monthly  general  military  training  or  periodic 
safety  training,  internal  control  training  could  be  handled 
on  the  same  basis. 

5.  The  last  recommendation  is  to  have  more  quality 
assurance  checks  made  by  superiors  outside  the  shipyard.  In 
the  six  year  history  of  the  Navy's  Internal  Control  Program, 
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NAVSEA  visited  the  shipyard  only  once  to  review  the 
program's  implementation.  A  periodic  on-site  review 
encourages  the  shipyard  to  provide  continued  support  to  the 
program.  Without  this  on-site  review,  the  shipyard  would 
eventually  assume  whatever  input  they  provided  was  adequate. 
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APPENDIX 
QUESTIONNAIRE 

Name:  Date: 


Directions:   Circle  Appropriate  Answer 

1.  Do  you  provide  personnel  for  conducting   vulnerability 
assessments  and  management  control  reviews?   (yes/no) 

2.  Do  you  have  a  current  organizational  structure  in  place? 
(yes/no) 

3.  Are  the  right  people  doing  the  right  jobs?  (yes/no) 

4.  Do  you  have  written  guidance  for  workers  defining  their 
jobs  and  the  standards  expected?  (yes/no) 

5.  Do  you  have  a  good  working  knowledge  of  all  your  areas 
of  responsibility?  (yes/no) 

6.  Is   training   available   for   you   covering   your   job? 
(yes/no) 

7.  Is  training  available  for  your  subordinates  covering 
their  jobs?  (yes/no) 

8.  Have  you  considered  each  of  the  following  objectives 
listed  below  when  managing  your  area  of  responsibility? 

a.  Management  and  supervisory  responsibilities  and 
authority  are  clearly  stated  and  understood? 
(yes/no) 

b.  Resources  are  safeguarded  against  waste,  loss, 
unauthorized  use  and  mismanagement?  (yes/no) 

c.  Accounts,  record  and  reports  are  reliable  and 
accurate?  (yes/no) 

d.  Obligations  are  made  in  accordance  with  applicable 
laws?  (yes/no) 

e.  Transactions  are  executed  in  accordance  with 
regulations  and  policies?  (yes/no) 
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f.  Internal  control  systems  you  use  emphasize 
prevention  of  specific  or  systematic  weaknesses? 
(yes/no) 

Note:  In  the  following  questions,  assume  you  are  considering 
developing  internal  controls  to  correct  potential  problems. 

9.  Does  the  cost  of  the  controls  currently  used  in  most  of 
your  systems  outweigh  the  benefits  from  having  the 
controls  in  place?  (yes/no) 

10.  Do  you  strongly  support  the  use  of  the  internal  control 
process  by  your  subordinates?  (yes/no) 

11.  Would  you  say  all  personnel  working  for  you  are 
completely  competent?  (yes/no) 

12.  Are  all  the  controls  used  in  your  systems  effective  for 
getting  the  job  done?  (yes/no) 

13.  Do  you  maintain  all  the  required  records  and  files  for 
the  internal  control  program?  (yes/no) 

14.  Are  transactions  that  require  recording  in  your  systems 
recorded  on  time  more  than  85  percent  of  the  time? 
(yes/no) 

15.  Do  you  audit  your  subordinates  work  routinely  to  ensure 
quality  work?  (yes/no) 

16.  Do  you  understand  the  purpose  for  having  segregation  of 
duties?  (yes/no) 

17.  Do  your  systems  employ  segregation  of  duties  to  protect 
resources  that  could  be  used  to  personally  benefit 
someone  in  some  way?  (yes/no) 

18.  Is  there  adequate  supervision  of  all  personnel  assigned 
within  your  area  of  responsibility?  (yes/no) 

19.  Are  pilferable  assets  safeguarded  by  locks  or  other 
similar  security  methods?  (yes/no) 

20.  Do  any  of  your  areas  of  responsibility  currently  need 
improvement  to  prevent  the  loss  of  assets  and  resources? 
(yes/no) 

21.  Do  you  reevaluate  your  systems  at  least  twice  a  year  to 
correct  or  add  needed  internal  controls?  (yes/no) 

22.  Have  you  requested  an  outside  audit  if  one  has  not  been 
performed  in  the  past  two  years?  (yes/no) 
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23.  Have  you  any  outstanding  audit  findings  that  are  overdue 
for  correction?  (yes/no) 

24.  Do  you  have  procedures  in  place  to  discipline  persons 
caught  committing  fraud,  waste  or  abuse?  (yes/no) 

25.  Do  you  monitor  corrective  actions  more  often  than 
semiannually?  (yes/no) 

26.  Are  corrective  actions  from  audits  completed  more  often 
than  50  percent  of  the  time?  (yes/no) 

27.  Is  training  performed  in  your  areas  more  often  than 
semiannually?  (yes/no) 

28.  Does  training  include  training  on  the  use  of  internal 
controls?  (yes/no) 

29.  Do  you  ask  the  internal  review  staff  for  help  in 
correcting  difficult  problems?  (yes/no) 

30.  Do  you  use  the  internal  review  process  for  systems 
beyond  those  mandated  by  the  annual  schedule  from  the 
Internal  Control  Coordinator?  (yes/no) 

31.  Do  feel  the  internal  control  program  is  excessive? 
(yes/no) 


Key  used  in  scoring:  All  answers  are  yes  except  numbers  9, 
20,  2  3  and  31. 
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